MITER has released its annual list of the top 25 “Most Dangerous Software Weaknesses” for 2023.
“These weaknesses lead to serious software vulnerabilities,” said the US Cybersecurity and Infrastructure Security Agency (CISA). “Attackers can often exploit these vulnerabilities to gain control of the affected system, steal data, or disrupt the operation of applications.”
This list is based on an analysis of National Vulnerability Data (NVD) public vulnerability data for mapping root causes to CWE weaknesses over the past two years. A total of 43,996 CVE entries were examined and each entry was scored based on prevalence and severity.
Out-of-bounds writes come first, followed by cross-site scripting, SQL injection, use-after-free, OS command injection, improper input validation, out-of-bounds reads, path traversal, and cross-site request forgery (CSRF). Continue. ), and unlimited uploads of dangerous file types. Out-of-bounds Write continues to take the top spot in 2022.
Seventy vulnerabilities added to the Known Exploited Vulnerabilities (KEV) catalog in 2021 and 2022 were out-of-bounds write bugs. One category of weaknesses that didn’t make the top 25 is improper restrictions on XML external entity references.
According to the Common Weakness Enumeration (CWE) research team, “Trend analysis of vulnerability data like this enables organizations to make better investments and policy decisions in vulnerability management.”
In addition to software, MITER has developed hardware with the goal of “preventing hardware security problems at the root by educating designers and programmers on how to eliminate critical mistakes early in the product development lifecycle.” It also maintains a list of Ware’s key weaknesses.
This disclosure is a recommendation by CISA, in collaboration with the U.S. National Security Agency (NSA), to help organizations harden their continuous integration/continuous delivery (CI/CD) environments against malicious cyber attackers. It was done in response to announcing issues and best practices.
This includes implementing strong cryptographic algorithms when configuring cloud applications, minimizing the use of long-term credentials, adding secure code signing, and a two-person rule (2PR) for reviewing developer code commits. ) and adopting the Principle of Least Privilege (PoLP). , use network segmentation, and regularly audit accounts, secrets, and systems.
“By implementing the proposed mitigations, organizations can reduce the number of exploit vectors into their CI/CD environments and create an environment that is easier for adversaries to infiltrate,” the agencies said.
The development says that about 250 devices running on various U.S. government networks expose remote management interfaces on the open web, many running remote protocols such as SSH and TELNET. It also follows new findings from Censys.
“Within 14 days of identifying any of these devices, the FCEB agency will comply with BOD 23-02, including securing the device according to Zero Trust architecture concepts or removing the device from the public internet. We need to take action,” said the Censys researchers.
Publicly accessible remote management interfaces have emerged as one of the most common attack vectors by nation-state hackers and cybercriminals, according to one agency, with remote desktop protocol (RDP) and VPN exploits in the past. It has become the preferred initial access method for the year. New report from ReliaQuest.
