Thought leadership. Threat analysis. Cybersecurity news and alerts.
2021 Top 25 Most Dangerous Software Weaknesses
Software has weaknesses.
The most dangerous software weaknesses are those that are often easy to find, easy to exploit, and can allow attackers to completely take over a system, prevent an application from working, or steal data.
MITRE recently released the 2021 top 25 most dangerous software weaknesses – a demonstrative list of the most dangerous software weaknesses over the previous two calendar years. To create the 2021 list, MITRE used the Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record.
The Software Weaknesses List
Here are the top 25 most dangerous software weaknesses over the previous two calendar years:
1. Out-of-Bounds Write
Out-of-bounds write, also known as memory corruption, occurs when the software writes data past the end or before the beginning of the intended buffer. This software weakness can result in code execution, corruption of data, or a crash.
2. Improper Neutralization of Input During Web Page Generation
Improper neutralization of input during web page generation, also known as cross-site scripting (XSS), occurs when the software doesn’t neutralize or incorrectly neutralizes user-controllable input before it’s outputted as a web page.
3. Out-of-Bounds Read
Out-of-bounds read occurs when the software reads data past the end or before the beginning of the intended buffer. This software weakness can cause a crash or allow attackers to read sensitive information from other memory locations.
4. Improper Input Validation
Improper input validation occurs when the software receives input or data, but it doesn’t validate or incorrectly validates the input. When a software doesn’t validate input properly, attackers can craft the input in a form that isn’t expected by the rest of the application. This can result in altered control flow, arbitrary code execution, or arbitrary control of a resource.
5. Improper Neutralization of Special Elements used in an OS Command
Improper neutralization of special elements used in an OS command, also known as OS command injection or shell injection, occurs when the software doesn’t neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it’s sent to a downstream component. This can allow attackers to execute dangerous commands directly on the operating system.
6. Improper Neutralization of Special Elements used in an SQL Command
Improper neutralization of special elements used in an SQL command, also known as SQL injection, occurs when the software doesn’t neutralize or incorrectly neutralizes special elements that can modify the intended SQL command when it’s sent to a downstream component. This can allow attackers to alter query logic to bypass security checks, execute system commands, or insert additional statements that modify the back-end database.
7. Use After Free
Use after free occurs when the use of previously-freed memory can cause the software to crash, cause corruption of valid data, or result in the execution of arbitrary code.
8. Improper Limitation of a Pathname to a Restricted Directory
Improper limitation of a pathname to a restricted directory, also known as path traversal, occurs when the software doesn’t properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that’s outside of the restricted directory. This can allow attackers to escape outside of the restricted location to access files or directories that are elsewhere on the system.
9. Cross-Site Request Forgery (CSRF)
Cross-site request forgery occurs when the web application doesn’t or can’t sufficiently verify a valid request provided by the user. This can allow attackers to trick a client into making an unintentional request to the web server which will then be treated as a valid request.
10. Unrestricted Upload of File with Dangerous Type
Unrestricted upload of file with dangerous type occurs when the software allows the uploading or transferring of files of dangerous types which can be automatically processed within the software’s environment.
11. Missing Authentication for Critical Function
Missing authentication for critical function occurs when the software doesn’t perform any authentication for functionality that requires a valid user identity. This can allow attackers to read or modify sensitive data, access administrative or other privileged functionality, or execute arbitrary code.
12. Integer Overflow or Wraparound
An integer overflow or wraparound occurs when the software performs a calculation in which the logic assumes that the resulting value will always be larger than the original value. This can allow attackers to introduce other weaknesses when the calculation is used for execution control or resource management.
13. Deserialization of Untrusted Data
Deserialization of untrusted data occurs when the software deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An assumption that the code in the deserialized object is valid is susceptible to exploitation. Attackers can change unexpected objects or data that was assumed to be safe from modification.
14. Improper Authentication
Improper authentication occurs when the software doesn’t prove or insufficiently proves that the user’s identity is correct.
15. NULL Pointer Dereference
NULL pointer dereference occurs when the software dereferences a pointer that it expects to be valid, but is NULL, causing an exit or crash.
16. Use of Hard-coded Credentials
The use of hard-coded credentials creates a software weakness that allows attackers to bypass the authentication that has been configured by the software administrator.
17. Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper restriction of operations within the bounds of a memory buffer, also known as buffer overflow, occurs when the software performs operations on a memory buffer, but it can write to or read from a memory location that’s outside of the intended boundary of the buffer. This can allow attackers to change the intended control flow, execute arbitrary code, cause the system to crash, or read sensitive information.
18. Missing Authorization
Missing authorization occurs when a software doesn’t perform an authorization check when a user attempts to access a resource. This can allow attackers to read sensitive data, modify sensitive data, or gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
19. Incorrect Default Permissions
Incorrect default permissions occur when during the installation of the application, installed file permissions are set to allow anyone to modify those files. This can allow attackers to read or modify application data.
20. Exposure of Sensitive Information to an Unauthorized Actor
Exposure of sensitive information to an unauthorized actor, also known as information leak, occurs when the software exposes sensitive information to a user that isn’t explicitly authorized to have access to that information.
21. Insufficiently Protected Credentials
Insufficiently protected credentials occur when the software transmits or stores authentication credentials, but it uses an insecure method. This can allow attackers to gain access to user accounts and access sensitive data.
22. Incorrect Permission Assignment for Critical Resource
Incorrect permission assignment for critical resource occurs when the software specifies permissions for a security-critical resource, allowing the resource to be read or modified by attackers.
23. Improper Restriction of XML External Entity Reference
Improper restriction of XML external entity reference occurs when the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control. Common consequences of this software weakness include attackers being able to access arbitrary files on the system, or can cause consumption of excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random.
24. Server-Side Request Forgery (SSRF)
According to MITRE, in server-side request forgery, the “web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.” A real-world example of server-side request forgery attack allowed attackers to request a URL from another server, including other ports, which allowed proxied scanning.
25. Improper Neutralization of Special Elements used in a Command
Improper neutralization of special elements used in a command occurs when data from an untrusted source enters the application and the data from an untrusted source is executed as a command by the application. This gives attackers privileges or capabilities that they would not otherwise have.
Steve E. Driz, I.S.P., ITCP