Cybercriminals will look for any way into your networks, including phishing, brute force, supply chain attacks and software vulnerabilities, with the latter being especially dangerous since they’re built into software that we’re supposed to trust.
They can be easy to find and exploit, allowing bad actors to take over an entire system, exfiltrate data and lead to downtime for critical business applications that you rely upon.
That’s why MITRE recently released its list of the top 25 most dangerous software weaknesses for 2021 to help IT admins, security researchers and other tech professionals prevent and mitigate these attacks and prioritize patching efforts.
Here’s a look at the top five on MITRE’s list.
According to MITRE, an out-of-bounds write occurs when software writes data past the end or before the beginning of the intended buffer. This can result in corruption of data, a crash – or even worse – a code execution.
As such, this is ranked as the most dangerous software vulnerability on MITRE’s list, with an average CVSS score of 8.22
“The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer,” MITRE says. “A subsequent write operation then produces undefined or unexpected results.”
A cross-site scripting vulnerability is when software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users, according to MITRE.
When a victim visits the generated web page through a web browser containing malicious script that was injected using the untrusted data, the web browser executes the malicious script in the context of the web server’s domain.
According to MITRE, this violates the intention of the web browser’s same-origin policy that seeks to prevent script in one domain from accessing resources or running code in a different domain.
Once malicious script is injected, an attacker can transfer private information, send malicious requests to a web site on behalf of the victim, conduct phishing attacks that emulate trusted websites or exploit vulnerabilities in the web browser itself and possibly take over the victim’s computer.
Like an out-of-bounds write, an out-of-bounds read deals with poorly written code, this time when software reads data past the end or beginning of the intended buffer.
This kind of vulnerability gives attackers the ability to read sensitive information from other memory locations or cause a crash when the cod reads a variable amount of data and assumes a sentinel exists to stop the read operation, such as a NUL in a string.
However, the expected sentinel might not be in the out-of-bounds memory, causing excessive data to b read. The software might modify and index or perform pointer arithmetic that references a memory location outside of the buffer, leading to undefined or unexpected results.
Attackers can exploit these vulnerabilities to steal memory addresses to bypass protection mechanisms like ASLR. This can open the door to exploitation of other weaknesses and ultimately lead to code execution.
Improper Input Validation
An improper input validation is when a product receives input or data but does not validate or incorrectly validates that the input has the required properties to process data safely and securely, MITRE says.
When software doesn’t validate input correctly, an attacker can craft the input in a form that is not expected by the rest of the application, leading to parts of the system receiving unintended input. That can result in altered control flow, arbitrary control of a resource or arbitrary code execution.
Exploiting an improper input validation vulnerability could also cause a program to crash or use an excessive amount of resources, allow an attacker to read confidential information, MITRE says.
OS Command Injection
According to MITRE, an OS command injection vulnerability occurs when the software constructs all or part of an OS command using externally influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
This could allow an attacker to execute commands directly into the operating system and can lead to a vulnerability in environments in which the attack does not have direct access to the operating system, such as web applications, MITRE says.
If the weakness occurs in a privileged program, an attacker could specify commands that aren’t normally accessible or call alternate commands with privileges that the attacker doesn’t have.
MITRE says this vulnerability is even worse if the compromised process doesn’t follow the principle of lease privilege because the attacker’s commands may run with special system privileges, giving the hacker more access.
Other notable vulnerabilities
No. 6 on the list was an SQL injection, which occurs when software constructs all or part of an SQL command using externally influenced input from an upstream component without neutralizing special elements that could modify the intended SQL command when sent to a downstream component.
According to MITRE’s list, other vulnerabilities are becoming more common, including missing authentication for critical function, which occurs when software doesn’t perform any authentication for functionality that requires approvable user identity or consumes a significant amount of resources.
Essentially, missing this when designing a program provides an attacker with the privilege level of that functionality. Damage depends on the function of the program, but it could lead to access to sensitive data, access to administrative functionality or even arbitrary code execution.
Jumping 22 spots is incorrect default permissions, which occurs when installed file permissions are set to allow anyone to modify files.