MITRE specialists published a list of 25 most dangerous threats that can lead to vulnerabilities

Representatives of the MITRE organization prepared an updated list of 25 most dangerous problems and shortcomings in the software, which can lead to vulnerabilities and can be used by attackers for hacking systems.

This time, the top 25 was compiled on the basis of its own MITRE data, information from the NVD (National Vulnerability Database), as well as CVSS. Previously, the list was built on the basis of surveys and personal interviews with developers, leading security analysts, researchers and vendors.

“These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working”, — write MITRE specialists.

Problems from this list have their own CWE identifiers (not to be confused with CVE) – Common Weakness Enumeration. CWEs differ from CVEs, in fact, the former are the forerunners of the latter, so CWEs directly result in vulnerabilities.

CWEs are divided into more than 600 categories, and this year the list was supplemented by CWEs, which combine very extensive classes of various problems, for example, CWE-20 (incorrect input verification), CWE-200 (information disclosure) and CWE-287 ( incorrect authentication).

Read also: IS Research: Small Business Does Not Update Critical Software

The top 10 problems identified by MITER specialists can be seen in the table below. Points were assigned to problems based on how often the CWE serves as a starting point for the actual vulnerability, as well as the severity of its potential exploitation.

[1]CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer75,56
[2]CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)45,69
[3]CWE-20Improper Input Validation43,61
[4]CWE-200Information Exposure32,12
[5]CWE-125Out-of-bounds Read26,53
[6]CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)24,54
[7]CWE-416Use After Free17,94
[8]CWE-190Integer Overflow or Wraparound17,35
[9]CWE-352Cross-Site Request Forgery (CSRF)15,54
[10]CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14,1
[11]CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)11,47
[12]CWE-787Out-of-bounds Write11,08
[13]CWE-287Improper Authentication10,78
[14]CWE-476NULL Pointer Dereference9,74
[15]CWE-732Incorrect Permission Assignment for Critical Resource6,33
[16]CWE-434Unrestricted Upload of File with Dangerous Type5,5
[17]CWE-611Improper Restriction of XML External Entity Reference5,48
[18]CWE-94Improper Control of Generation of Code (‘Code Injection’)5,36
[19]CWE-798Use of Hard-coded Credentials5,12
[20]CWE-400Uncontrolled Resource Consumption5,04
[21]CWE-772Missing Release of Resource after Effective Lifetime5,04
[22]CWE-426Untrusted Search Path4,4
[23]CWE-502Deserialization of Untrusted Data4,3
[24]CWE-269Improper Privilege Management4,23
[25]CWE-296Improper Certificate Validation4,06

Compared to 2011, this year new problems make up about a third of the list. However, most of the threats that were relevant at that time, are still dangerous now.

For example, among them are unlimited downloading of dangerous file types (CWE-434), SQL injection (CWE-89), and command injection (CWE-78). Nevertheless, it is worth noting that many old participants in the threat top still noticeably lose their positions: SQL injections have become less common and have fallen from first place to sixth place; the use of hard-coded credentials, the CWE-798, completely dropped from seventh to nineteenth, compared to 2011.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button