You are the weakest link. Hello.
“When you hear the sound of hooves, think horses, not zebras” is something many doctors are taught at medical school. Essentially, it means that, when you’re thinking about a diagnosis, consider the most likely possibility first. But not all diseases are horses, sometimes there’s a zebra in there, making trouble.
What does any of this have to do with weakness in code and vulnerability management?
Well, just like in medicine, there are times when, if you only look at the main symptoms, you’ll miss the disease. And if you focus your priorities and efforts completely on the MITRE Top 25, there’s a good chance you’ll miss the highly weaponized, less known weakness that is highly relevant to your specific systems. Until it finds you.
So what are these weaknesses and why should developers and defenders focus on them?
Understanding is the Key
Common Weakness Enumerations (CWEs) are weaknesses or inherent flaws in software design, implementation or operation that can be exploited by attackers. They’re the foundation for vulnerabilities (CVEs) within software systems, where a vulnerability is a specific instance of a weakness that can be exploited.
Understanding the nature of weakness is crucial for developing a proactive cybersecurity approach. Organizations that understand the root causes behind weaponized and exploited vulnerabilities can prioritize efforts to identify, mitigate and remediate weakness – before they are leveraged by attackers and become known as exploited vulnerabilities. This proactive approach helps minimize the risk of potential exploits, enhancing the overall security posture of software systems.
What kind of insights can we gain from this approach?
Securin’s analysts tracked 311,018 CVEs that, as of April 9 2024, have CWEs assigned to them. Here’s what we found:
Key Notes:
- Almost a third of cybersecurity vulnerabilities (33.78%) lack identification of related weaknesses.
- The all time list: 678 Weaknesses have vulnerabilities mapped to them across the all time list of vulnerabilities.
- 39 of the 678 Weaknesses are now Deprecated/Obsolete, with 14,256 CVEs mapped to them.
Meet the All-Stars: Breadth Analysis
In terms of weakness and vulnerabilities, there are some familiar faces in the Top 25, all of which can be mitigated through more secure coding practices. Despite high-profile attacks costing significant sums in fines and remediation costs, vulnerability to cross-site scripting (XSS) continues to be prevalent in web applications. But it’s not the only issue. Let’s take a look:
- CWE-79 (Cross-site Scripting) tops the list with 30,820 CVEs mapped to it, highlighting the prevalent risk of XSS attacks in web applications.
- CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-89 (SQL Injection) follow closely, indicating the significance of input validation and secure coding practices.
- 3 Weaknesses Categories: CWE-264: Permissions, Privileges, and Access Controls – 5487 CVEs, CWE-399: Resource Management Errors – 2718 CVEs
- CWE-310: Cryptographic Issues – 2508 CVEs are present in Top 25, owing to the historical number of CVEs mapped to them even though their use is now prohibited since 2016.
Something Old, Something New: Changes in Frequency Across Decades
When we analyze the frequency of weakness across three decades: 2000-2009, 2010-2019 and 2020-present, we observed some interesting trends:
- The Always in Attendance Class Topper: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) has been top of the charts across all three decades, and in fact on a superhuman growth with the number of CVEs rapidly increasing. 2000-2009: 5351 CVEs, 2010-2019: 11,163 CVEs, 2020-Present: 14,304 CVEs.
- Other Consistent Performers: CWE-787: Out-of-bounds Write, CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, CWE-20: Improper Input Validation & CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) are the other CVEs that have been consistently in Top 10.
- The Has-Beens: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-264: Permissions, Privileges, and Access Controls, CWE-284: Improper Access Control have been on a diminishing trend.
What Can We Infer?
Despite widespread awareness of the threats, developers are constantly introducing XSS weaknesses (CWE-79) – at an increasing rate and in high volumes over time. To be fair, modern web applications are often complex, with numerous interconnected components and dependencies. Managing security in these environments can be challenging, increasing the likelihood of XSS vulnerabilities slipping through the cracks.
Here’s what else we noticed:
- CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-787 (Out-of-bounds Write), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) CWE-125 (Out-of-bounds Read), and CWE-94 (Improper Control of Generation of Code, commonly referred to as Code Injection) are interconnected through their exploitation of memory-related vulnerabilities. They offer increased exploitation potential as specific instances where memory-related vulnerabilities can be exploited to gain unauthorized access to sensitive information, execute arbitrary code, or manipulate program behavior.
- CWE-89, CWE-22 & CWE-20: Despite efforts to raise awareness about common vulnerabilities like SQL injection and path traversal, some developers may still lack a comprehensive understanding of secure coding practices and the potential risks associated with inadequate input validation and directory restrictions.
Depth Analysis: Going Beyond Frequency
Analyzing weaknesses not only by frequency but also from the threat perspective is crucial for understanding their true risk to software systems. Assessing their association with weaponized, APT or ransomware-exploited vulnerabilities offers insight into their potential impact. By examining the likelihood of a weakness being weaponized by threat actors, security professionals can prioritize mitigation efforts effectively, focusing on vulnerabilities posing the greatest threat and strengthening overall cybersecurity posture. Here’s what we observed when we analyzed the top weaknesses by weaponization.
Weaponization Affinity
- High Weaponization Rates: CWE-98 (PHP Remote File Inclusion) has the highest weaponization rate at 72.97%, indicating a significant risk of exploitation. Other weaknesses with relatively high weaponization rates include CWE-89 (SQL Injection) at 38.19% and CWE-22 (Path Traversal) at 32.96%.
- Common Attack Vectors: Vulnerabilities related to improper control of inputs, such as SQL injection (CWE-89) and code injection (CWE-94), continue to be prevalent and highly weaponized (28-38%), underscoring the importance of input validation and secure coding practices.
- Web Application Security: Cross-site scripting (CWE-79) and cross-site request forgery (CWE-352) vulnerabilities remain common in web applications, with moderate weaponization rates. Proper input validation and output encoding are essential for mitigating these risks.
- Privilege and Access Control: CWE-264 (Permissions, Privileges, and Access Controls) & CWE-287 (Improper Authentication) highlight the importance of robust access control mechanisms. Weaknesses in this area can lead to unauthorized access and privilege escalation attacks and have ~17% Weaponization.
- Input Validation & Deserialization Vulnerabilities: CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), CWE-434: Unrestricted Upload of File with Dangerous Type, CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer & CWE-502: Deserialization of Untrusted Data have relatively high weaponization rates (18-24%), indicating the risk associated. Proper input validation and secure deserialization practices are essential for mitigating this risk.
Aligning Weaknesses with Exploit Types Through Vulnerability Associations
When we track vulnerabilities exploit types against the weaknesses associated with them, here’s what we found:
- Remote Code Execution (RCE):
- CWE-94 (Code Injection) and CWE-98 (PHP Remote File Inclusion) contribute significantly to RCE vulnerabilities, with high numbers of CVEs mapped to this exploit type.
- CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) also shows a substantial contribution to RCE vulnerabilities, indicating the critical nature of memory-related weaknesses in enabling code execution.
- Privilege Escalation:
- CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) emerges as a major contributor to privilege escalation vulnerabilities, with a large number of CVEs mapped to this exploit type.
- CWE-269 (Improper Privilege Management) and CWE-416 (Use After Free) also show notable contributions to privilege escalation, highlighting the significance of proper privilege management and memory safety practices.
- Denial of Service (DoS):
- CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-94 (Code Injection) exhibit substantial contributions to DoS vulnerabilities, emphasizing the impact of memory-related and code execution weaknesses on system availability.
- CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-120 (Buffer Copy without Checking Size of Input) also contribute significantly to DoS vulnerabilities, indicating the importance of proper input validation and boundary checks.
- Web Application Vulnerabilities:
- CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-79 (Cross-site Scripting) stand out as major contributors to web application vulnerabilities, with a large number of CVEs mapped to this exploit category.
- CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-20 (Improper Input Validation) also show significant contributions to web application vulnerabilities, emphasizing the importance of secure file handling and input validation practices.
The Weaknesses Fueling Threat Actor and Ransomware Eruptions
Our research reveals that 109 weaknesses are linked to vulnerabilities known to be exploited by ransomware and threat actor groups.
- Exploitation Potential: Weaknesses like CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-20 (Improper Input Validation) provide significant opportunities for exploitation by threat actors. Memory-related vulnerabilities and insufficient input validation can lead to various attack vectors, making them attractive targets for ransomware and threat actors seeking to compromise systems.
- Critical System Components: Weaknesses such as CWE-94 (Code Injection) and CWE-22 (Path Traversal) affect critical system components and functionalities. Exploiting these weaknesses can enable threat actors to execute arbitrary code or access sensitive data, making them valuable targets for ransomware attacks and other malicious activities.
- Persistence and Impact: CWE-416 (Use After Free) and CWE-787 (Out-of-bounds Write) vulnerabilities can lead to persistent and impactful exploits. These weaknesses allow threat actors to maintain control over compromised systems or cause system crashes, amplifying their appeal for ransomware attacks and exploitation by threat actors.
- Privilege Escalation: CWE-269 (Improper Privilege Management) and CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities enable privilege escalation and unauthorized access to system resources. Threat actors leverage these weaknesses to gain elevated privileges and expand their control over compromised systems, enhancing their ability to execute ransomware attacks and carry out other malicious activities.
- Common Attack Vectors: Weaknesses like CWE-502 (Deserialization of Untrusted Data) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command) represent common attack vectors exploited by ransomware and threat actors. These weaknesses allow for remote code execution and command injection, facilitating unauthorized access and control over targeted systems.
MITRE Top 25 Trends
Key Actions for Developers/DevSecOps Practitioners
As the developer’s role evolves into one where security is part of life, the ability to really understand the nature of weaknesses in code is crucial for proactive mitigation. The MITRE Top 25 on its own is no longer enough, especially when you’re looking for zebras. The more we dig into the data, the more we can see that frequency isn’t always the best indicator of threat – there are many weaknesses outside the Top 25 that are weaponized and being exploited. If you’re only looking at 25 symptoms, you’re not going to identify all of the diseases at the early warning stage.
What can devs do?
- Input Validation and Sanitization: Prioritize robust input validation and sanitization techniques across all components of the software to prevent vulnerabilities such as Cross-site Scripting (CWE-79), SQL Injection (CWE-89), and Command Injection (CWE-77). Implement strict validation checks for user inputs and ensure proper encoding and escaping of special characters to prevent injection attacks.
- Memory Safety Practices: Implement strong memory safety practices to mitigate vulnerabilities related to buffer overflows, such as Classic Buffer Overflow (CWE-120) and Out-of-bounds Write (CWE-787). Utilize secure coding techniques, such as bounds checking and safe string manipulation functions, to prevent buffer overflow vulnerabilities.
- Privilege Management: Strengthen privilege management mechanisms to prevent Privilege Escalation vulnerabilities like Improper Restriction of Operations (CWE-119) and Improper Privilege Management (CWE-269). Follow the principle of least privilege, ensuring that each system component or user has only the access rights necessary for its legitimate purpose. Implement proper authentication and authorization mechanisms to control user access and prevent unauthorized privilege escalation.
- Secure File Handling: Implement secure file handling practices to mitigate vulnerabilities like Path Traversal (CWE-22) and Unrestricted Upload of File with Dangerous Type (CWE-434). Validate file paths and user-supplied filenames rigorously to prevent directory traversal attacks. Implement file type verification and validation to restrict uploads to safe file types and prevent malicious file execution.
- Secure Configuration: Ensure secure configuration of software components to prevent vulnerabilities such as PHP Remote File Inclusion (CWE-98) and Improper Access Control (CWE-284). Disable unnecessary features and services, apply the principle of least functionality, and follow secure coding guidelines for configuration management to minimize the attack surface and prevent unauthorized access.
- Security Education and Training: Provide comprehensive security education and training to developers and stakeholders involved in the software development lifecycle. Raise awareness about common security vulnerabilities and best practices for secure coding, testing, and deployment. Foster a security-aware culture within the organization to ensure that security considerations are integrated into every phase of the development process.
The Future of Code is Secure by Design
When we look at AI regulations and the new NIST 2.0 framework, what we’re seeing is an emphasis on proactive security. At Securin, that’s baked into everything we do with our customers. From attack surface validation to attack surface prioritization and beyond, we’re enabling a security by design approach, where weaknesses are identified and mitigated before they can become vulnerabilities. And if they’re already vulnerabilities, we mitigate them before they’re exploited.