MITRE updates list of top 25 most dangerous software bugs

MITRE has shared this year's top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years.

Software weaknesses are flaws, bugs, vulnerabilities, and various other types of errors impacting a software solution's code, architecture, implementation, or design, potentially exposing systems it's running on to attacks.

MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD) (roughly 27,000 CVEs).

"A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation," MITRE explained.

"This approach provides an objective look at what vulnerabilities are currently seen in the real world, creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions, and makes the process easily repeatable."

MITRE's 2021 top 25 bugs are dangerous because they are usually easy to discover, have a high impact, and are prevalent in software released during the last two years

They can also be abused by attackers to potentially take complete control of vulnerable systems, steal targets' sensitive data, or trigger a denial-of-service (DoS) following successful exploitation.

The list below provides insight to the community at large into the most critical and current software security weaknesses.

Rank ID Name Score
[1] CWE-787 Out-of-bounds Write 65.93
[2] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 46.84
[3] CWE-125 Out-of-bounds Read 24.9
[4] CWE-20 Improper Input Validation 20.47
[5] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 19.55
[6] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 19.54
[7] CWE-416 Use After Free 16.83
[8] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14.69
[9] CWE-352 Cross-Site Request Forgery (CSRF) 14.46
[10] CWE-434 Unrestricted Upload of File with Dangerous Type 8.45
[11] CWE-306 Missing Authentication for Critical Function 7.93
[12] CWE-190 Integer Overflow or Wraparound 7.12
[13] CWE-502 Deserialization of Untrusted Data 6.71
[14] CWE-287 Improper Authentication 6.58
[15] CWE-476 NULL Pointer Dereference 6.54
[16] CWE-798 Use of Hard-coded Credentials 6.27
[17] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 5.84
[18] CWE-862 Missing Authorization 5.47
[19] CWE-276 Incorrect Default Permissions 5.09
[20] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 4.74
[21] CWE-522 Insufficiently Protected Credentials 4.21
[22] CWE-732 Incorrect Permission Assignment for Critical Resource 4.2
[23] CWE-611 Improper Restriction of XML External Entity Reference 4.02
[24] CWE-918 Server-Side Request Forgery (SSRF) 3.78
[25] CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 3.58

Top 10 most exploited vulnerabilities

Last year, on May 12, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) had also published a list of the top 10 most exploited security vulnerabilities between 2016 and 2019.

"Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158," CISA said. "All three of these vulnerabilities are related to Microsoft's OLE technology."

Chinese hackers have frequently exploited CVE-2012-0158 starting with December 2018, showing that their targets have failed to apply security updates promptly and that threat actors will keep trying to abuse bugs as long as they're not patched.

Attackers have also been focusing on exploiting security gaps caused by hasty deployments of cloud collaboration services like Office 365.

Unpatched Pulse Secure VPN vulnerabilities (CVE-2019-11510) and Citrix VPN (CVE-2019-19781) have also been a favorite target last year, after the move to remote working caused by the ongoing COVID-19 pandemic.

CISA recommends transitioning away from end-of-life software as soon as possible as the easiest and quickest way to mitigate old unpatched security bugs.

The complete list of the top 10 most exploited security flaws since 2016 is available below, with direct links to their NVD entries.

CVE Associated Malware
CVE-2017-11882 Loki, FormBook, Pony/FAREIT
CVE-2017-0199 FINSPY, LATENTBOT, Dridex
CVE-2017-5638 JexBoss
CVE-2012-0158 Dridex
CVE-2019-0604 China Chopper
CVE-2017-0143 Multiple using the EternalSynergy and EternalBlue Exploit Kit
CVE-2018-4878 DOGCALL
CVE-2017-8759 FINSPY, FinFisher, WingBird
CVE-2015-1641 Toshliph, Uwarrior
CVE-2018-7600 Kitty

Related Articles:

CISA urges software devs to weed out SQL injection vulnerabilities

GitHub’s new AI-powered tool auto-fixes vulnerabilities in your code

Ivanti fixes critical Standalone Sentry bug reported by NATO

Here's why Twitter sends you to a different site than what you clicked

US Defense Dept received 50,000 vulnerability reports since 2016