The Mitre Corporation released its annual list of the most dangerous software flaws for 2023, and there’s been no change at the top spot.
The American not-for-profit organization has been analyzing public vulnerability data found in the National Vulnerability Database (NVD) for root cause mappings to CVE weaknesses for the past two years. During that time, the organization analyzed almost 44,000 CVEs.
As per the analysis, out-of-bounds write flaw is the most dangerous software vulnerability for the year (as was for the year 2022). This is a type of software flaw that sees a program write outside the bounds of an allocated area of memory. As a result, the endpoint might crash, or execute arbitrary code. Threat actors usually abuse this flaw by writing data that’s larger in size than the size of the allocated memory area, or by writing the data to an incorrect location within the memory area.
The prevention of out-of-bounds write flaws usually includes careful validation of all inputs, to make sure they’re within the expected range.
Other major software vulnerabilities include cross-site scripting (XSS), SQL injection, use after free, OS command injection, improper input validation, out of bounds read, path traversal, cross-site request forgery (CSRF), and unrestricted upload of file with dangerous type. The biggest change, compared to last year, is the exclusion of improper restriction of XML external entity reference, which is no longer considered among the top 25 most dangerous flaws.
Analysis: Why does it matter?
Software flaws such as these ones can be leveraged by threat actors for all kinds of cyberattacks. They can be used to steal sensitive data, take over vulnerable endpoints, engage in identity theft, wire fraud, and more. For example, cybersecurity researchers Francisco Falcon and Ivan Arce discovered out-of-bounds read (CVE-2023-1017) and out-of-bounds write (CVE-2023-1018) vulnerabilities in TPM 2.0, in early March 2023. Back then, it was said that the vulnerabilities could mean major trouble for “billions” of vulnerable devices.
“An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these vulnerabilities,” CERT warned about the flaws at the time. “This allows either read-only access to sensitive data or overwriting of normally protected data that is only available to the TPM (e.g., cryptographic keys).”
A month later, in early April, Apple reportedly fixed an IOSurface out-of-bounds write vulnerability that allowed threat actors to corrupt data, crash apps, and devices, and remotely execute code. Worst case scenario – a threat actor could push a malicious app allowing them to execute arbitrary code with kernel privileges on the target endpoint. This app was used in the wild, Apple confirmed.
Popular instant messaging platform Telegram also wasn’t immune to out-of-bounds write flaws, as back in 2021, a security researcher discovered one such zero-day in a batch of 13 vulnerabilities.
Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. National Security Agency (NSA) pushed a set of tips and best practices organizations can use to secure their Continuous Integration/Continuous Delivery (CI/CD) environments, The Hacker News also reported. As per the recommendations, businesses should implement strong cryptographic algorithms in their cloud app configurations, minimize the use of long-term credentials, and go for secure code signing. Furthermore, CISA states, businesses should utilize two-person rules when reviewing developer code commits, and adopt the principle of least privilege.
“By implementing the proposed mitigations, organizations can reduce the number of exploitation vectors into their CI/CD environments and create a challenging environment for the adversary to penetrate,” the two organizations stressed.
What have others said about it?
“MITRE’s 2023 top 25 weaknesses are dangerous due to their significant impact and widespread occurrence in software released over the past two years,” says BleepingComputer in its writeup. “By sharing this list, MITRE provides the broader community with valuable information regarding the most critical software security weaknesses that require immediate attention.”
The Register, on the other hand, was traditionally more cynical in its report, stating “Cough, cough, use Rust.”
“The most dangerous type of software bug is the out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes in the US government’s list of known vulnerabilities that are under active attack and need to be patched,” it added, also stating that the fact that the same vulnerability is in the top spot for two years in a row signals a “distinct lack of improvement.”
Users on social media were somewhat less vocal, with the news flying under the radar on Reddit, while on Twitter one user stated: “First rule of programming…Don’t build your software on frameworks e.g. DotNet, Java, React, Node, JQuery or any other… Second rule of programming…Always use the native operating system’s API e.g. WIN32!”
Go deeper
If you want to learn more about staying safe online, start by reading our guide on the best antivirus programs, and our guide on the best firewalls right now. You should also check out what is 2FA, as well as our guide on the best ID theft protection solutions at the moment.
Via: The Hacker News