When Errors Mean Danger: Top 25 Most Dangerous Software Errors
We live in a world in which computing touches virtually every aspect of our lives, both professional and personal. That has brought many good things—and its fair share of anxieties. Financial, social, and personal security are bound up with IT in complex and permanent ways. IT security issues should be of concern to everyone.
MITRE and the CWE
The non-profit MITRE Corporation is funded by the United States' Department of Homeland Security. It is, in its own words, a “mission-driven team [that] is dedicated to solving problems for a safer world.” Emerging from Mitre and its mandate is the Common Weakness Enumeration (CWE) project. The CWE “is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.”
A weakness is thus not exactly the same thing as a vulnerability. Rather, some weaknesses may allow vulnerabilities to find their way into software under the right circumstances. Obviously, being aware of—and, if possible, addressing—weaknesses before they hit the vulnerability stage is a desirable thing.
The CWE rankings draw in part from the MITRE-compiled list of Common Vulnerabilities and Exposures, which is described as a list of “publicly known cybersecurity vulnerabilities.”
Recently, the CWE released a list of the Top 25 Most Dangerous Software Errors for 2019. Examining this list and learning more about each weakness may help you and your business set security priorities for 2020.
- This is the first CWE Top 25 since 2011.
- Several of the highest-ranked errors—about two-thirds of the list, in fact—are not new, but are long-standing problems. This is a reminder that some software security issues do not yield easily to solutions and require constant vigilance.
- If you discover that you are using a software product that contains any of the flaws listed here, you should contact the provider sooner rather than later.
- Improper Restriction of Operations within the Bounds of a Memory Buffer
- Cross-site Scripting, AKA Improper Neutralization of Input During Web Page Generation
- Improper Input Validation
- Information Exposure
- Out-of-bounds Read
- SQL Injection, AKA Improper Neutralization of Special Elements used in an SQL Command
- Use After Free
- Integer Overflow or Wraparound
- Cross-Site Request Forgery (CSRF)
- Path Traversal, AKA Improper Limitation of a Pathname to a Restricted Directory
- OS Command Injection, AKA Improper Neutralization of Special Elements used in an OS Command
- Out-of-bounds Write
- Improper Authentication
- NULL Pointer Dereference
- Incorrect Permission Assignment for Critical Resource
- Unrestricted Upload of File with Dangerous Type
- Improper Restriction of XML External Entity Reference
- Code Injection, AKA Improper Control of Generation of Code
- Use of Hard-coded Credentials
- Uncontrolled Resource Consumption
- Missing Release of Resource after Effective Lifetime
- Untrusted Search Path
- Deserialization of Untrusted Data
- Improper Privilege Management
- Improper Certificate Validation
The following is the CWE's top 25 software errors, from most dangerous to least dangerous. Beneath each item is a brief description. The source list provides more in-depth information on each item.
1. Improper Restriction of Operations within the Bounds of a Memory Buffer
This weakness can, among other things, lead to system crashes or allow an attacker to access sensitive data or execute his own code. It occurs when software can read from or write to a memory location beyond a buffer's boundary.
2. Cross-site Scripting, AKA Improper Neutralization of Input During Web Page Generation
Cross-site scripting problems can crop up in a number of circumstances. In all cases, however, the result is that the software fails to neutralize input that is controlled by the user—or neutralizes it in an incorrect manner—before incorporating it into web pages.
3. Improper Input Validation
In this instance, software incorrectly validates or fails to validate input, leaving it vulnerable to an attack in which unexpected input may be injected into the application. This can affect the program's control flow or data flow.
4. Information Exposure
When this happens, sensitive information is revealed to an unauthorized party. This can make the program in which the exposure has taken place more vulnerable to attack.
5. Out-of-bounds Read
When a buffer's limits are not respected and a program reads data before or beyond the buffer's boundaries, this constitutes an out-of-bounds read. This can lead to a system crash, or can reveal sensitive data to potential attackers.
6. SQL Injection, AKA Improper Neutralization of Special Elements used in an SQL Command
This is one of the more commonly encountered weaknesses on this list, as it often arises with websites that are database-driven. SQL injection occurs when software fails to neutralize parts of an SQL command from an upstream component that could potentially modify the command when it is sent to a downstream component. Because this flaw is so widely known, any database-driven program or website will likely be targeted for attack at some point.
7. Use After Free
Software that reuses freed memory can easily lead to data corruption. Referencing freed memory may, among other things, cause a program to execute code or trigger a crash.
8. Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
9. Cross-Site Request Forgery (CSRF)
This occurs when a program is unable to verify whether a user actually and deliberately submitted a request, even though the request is valid and consistent.
10. Path Traversal, AKA Improper Limitation of a Pathname to a Restricted Directory
This is another flaw related to failed or improper neutralization of special elements. It occurs when a program uses external input to construct a pathname with the goal of identifying a file or directory underneath a restricted parent directory, but fails to neutralize those elements within the pathname. This can lead to the pathname resolving to a location beyond the restricted directory.
11. OS Command Injection, AKA Improper Neutralization of Special Elements used in an OS Command
This is a virtual mirror of the similarly named SQL injection. Here, the software fails to neutralize parts of an OS command from an upstream component that could potentially modify the command when it is sent to a downstream component.
Several of the highest-ranked errors—about two-thirds of the list, in fact—are not new, but are long-standing problems. This is a reminder that some software security issues do not yield easily to solutions and require constant vigilance.
12. Out-of-bounds Write
Similar to an out-of-bounds read. When a buffer's limits are not respected and a program writes data before or beyond the buffer's boundaries, this constitutes and out-of-bounds write. This can lead to, among other things, corruption of data, and can crash a system.
13. Improper Authentication
The software that cannot prove the authenticity of someone interacting with the system, or cannot prove it sufficiently.
14. NULL Pointer Dereference
A system crash may be precipitated by this weakness. It involves a program dereferencing a NULL pointer that it expected would be valid.
15. Incorrect Permission Assignment for Critical Resource
This flaw can allow unauthorized users or other actors to read or change a resource whose permissions have not been properly defined.
16. Unrestricted Upload of File with Dangerous Type
Some software products allow the upload or transfer of files that may be dangerous, leaving the application vulnerable to attack.
17. Improper Restriction of XML External Entity Reference
This occurs in XML documents with XML entities that contain URIs resolving to other documents beyond the intended sphere of control. As a result, the software embeds faulty documents into its output.
18. Code Injection, AKA Improper Control of Generation of Code
Another injection flaw. Here, the software fails to neutralize parts of a code segment constructed from an upstream component that could potentially modify the segment.
19. Use of Hard-coded Credentials
When passwords or cryptographic keys are used by an application for inbound authentication, outbound communication to external components, or encryption of internal data, this can create a vulnerability.
20. Uncontrolled Resource Consumption
This flaw can leave an application open to external influences that may lead to resource exhaustion. It occurs when the software does not properly control the allocation and maintenance of the (limited) resource, making it possible for an external force to influence the use of the resource.
21. Missing Release of Resource after Effective Lifetime
When software does not release a resource once that resource is no longer needed, it can leave a system vulnerable to a DoS attack. The attack works by allocating resources but not triggering their release.
22. Untrusted Search Path
In this scenario, a search path supplied by an external source may look for resources that are not directly controlled by the software. This could allow an attacker to point the search path to a malicious program, access data files, etc.
23. Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
24. Improper Privilege Management
When privileges are not properly managed, an external user may be able to influence or control the software in an unauthorized fashion. Privileges must be assigned, modified, tracked, and checked properly to avoid this.
25. Improper Certificate Validation
A malicious or invalid certificate can give attackers the opportunity to do things like spoof another, trusted entity. Software must validate certificates fully and correctly in order to avoid this.
If you or your team experience any software errors or unusual activity on your computers, reach out to CITI. We will ensure that your systems are secure and safe from cybersecurity threats.