MITER this year shared a list of the top 25 most common and dangerous software weaknesses over the past two years.
Software weaknesses are flaws, bugs, vulnerabilities, and various other types of errors affecting the code, architecture, implementation, or design of a software solution, potentially exposing the systems on which it runs. to attacks.
MITER developed the Top 25 list using 2019 and 2020 Common Vulnerability and Exposure (CVE) data obtained from the National Vulnerability Database (NVD) (approximately 27,000 CVE).
âA scoring formula is used to calculate a ranked order of weaknesses that combines the frequency with which a CWE is the root cause of a vulnerability with the projected severity of its exploitation,â explained MITER.
“This approach provides an objective look at vulnerabilities currently seen in the real world, creates a basis of analytical rigor based on publicly reported vulnerabilities instead of surveys and subjective opinions, and makes the process easily replicable.”
The 25 best MITER bugs 2021 are dangerous because they are generally easy to discover, have a high impact, and are prevalent in software released over the past two years.
They can also be exploited by attackers to potentially take full control of vulnerable systems, steal sensitive data from targets, or trigger a denial of service (DoS) after successful exploitation.
The list below gives the community at large an overview of the most critical and current weaknesses in software security.
|||CWE-787||Write out of bounds||65.93|
|||CWE-79||Incorrect neutralization of entries when generating Web pages (“Cross-site scripting”)||46.84|
|||CWE-125||Reading out of range||24.9|
|||CWE-20||Incorrect entry validation||20.47|
|||CWE-78||Incorrect neutralization of special elements used in an OS command (‘OS command injection’)||19.55|
|||CWE-89||Incorrect neutralization of special elements used in an SQL command (‘SQL injection’)||19.54|
|||CWE-416||Use after free||16.83|
|||CWE-22||Incorrect limitation of a path name to a restricted directory (‘Path Traversal’)||14.69|
|||CWE-352||Cross-Site Request Infringement (CSRF)||14.46|
|||CWE-434||Unlimited download of dangerous file types||8.45|
|||CWE-306||Missing authentication for the critical function||7.93|
|||CWE-190||Integer overflow or wraparound||7.12|
|||CWE-502||Deserialization of unreliable data||6.71|
|||CWE-476||NULL pointer dereference||6.54|
|||CWE-798||Using hard-coded credentials||6.27|
|||CWE-119||Inappropriate restriction of operations within a memory buffer||5.84|
|||CWE-276||Incorrect default permissions||5.09|
|||CWE-200||Exposing sensitive information to an unauthorized actor||4.74|
|||CWE-522||Insufficiently protected credentials||4.21|
|||CWE-732||Incorrect authorization assignment for critical resource||4.2|
|||CWE-611||Inappropriate restriction of XML external entity reference||4.02|
|||CWE-918||Server-side query forgery (SSRF)||3.78|
|||CWE-77||Incorrect neutralization of special elements used in an order (“Order injection”)||3.58|
Top 10 most exploited vulnerabilities
Last year, on May 12, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) also published a list of the 10 most exploited security vulnerabilities between 2016 and 2019.
“Of the top 10, the three most common vulnerabilities used by state sponsored cyber actors from China, Iran, North Korea and Russia are CVE-2017-11882, CVE-2017-0199, and CVE- 2012-0158 “, CISA mentioned. “These three vulnerabilities are related to Microsoft’s OLE technology.”
Chinese hackers have frequently exploited CVE-2012-0158 from December 2018, showing that their targets have failed to quickly apply security updates and that malicious actors will continue to try to abuse so many bugs. that they are not corrected.
Attackers have also focused on exploiting security holes caused by hasty deployments of cloud collaboration services like Office 365.
Unpatched vulnerabilities Pulse Secure VPN (CVE-2019-11510) and Citrix VPN (CVE-2019-19781) were also a favorite target last year, after the switch to remote working caused by the COVID-pandemic. 19 in progress.
CISA recommends abandoning end-of-life software as soon as possible, as it is the easiest and fastest way to mitigate old, unpatched security bugs.
The full list of the 10 most exploited security vulnerabilities since 2016 can be found below, with direct links to their NVD entries.
|CVE-2017-11882||Loki, FormBook, Pony / FAREIT|
|CVE-2017-0199||FINSPY, LATENTBOT, Dridex|
|CVE-2017-0143||Multiple using EternalSynergy and EternalBlue exploitation kit|
|CVE-2017-8759||FINSPY, FinFisher, WingBird|