MITRE has released its annual list of the Top 25 “most dangerous software weaknesses” for the year 2023.
“These weaknesses lead to serious vulnerabilities in software,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working.”
The list is based on an analysis of public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two years. A total of 43,996 CVE entries were examined and a score was attached to each of them based on prevalence and severity.
Coming out top is Out-of-bounds Write, followed by Cross-site Scripting, SQL Injection, Use After Free, OS Command Injection, Improper Input Validation, Out-of-bounds Read, Path Traversal, Cross-Site Request Forgery (CSRF), and Unrestricted Upload of File with Dangerous Type. Out-of-bounds Write also took the top spot in 2022.
70 vulnerabilities added to the Known Exploited Vulnerabilities (KEV) catalog in 2021 and 2022 were Out-of-bounds Write bugs. One weakness category that fell off the Top 25 is Improper Restriction of XML External Entity Reference.
“Trend analysis on vulnerability data like this enables organizations to make better investment and policy decisions in vulnerability management,” the Common Weakness Enumeration (CWE) research team said.
Besides software, MITRE also maintains a list of important hardware weaknesses with an aim to “prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle.”
The disclosure comes as CISA, together with the U.S. National Security Agency (NSA), released recommendations and best practices for organizations to harden their Continuous Integration/Continuous Delivery (CI/CD) environments against malicious cyber actors.
This includes the implementation of strong cryptographic algorithms when configuring cloud applications, minimizing the use of long-term credentials, adding secure code signing, utilizing two-person rules (2PR) to review developer code commits, adopting the principle of least privilege (PoLP), using network segmentation, and regularly audit accounts, secrets, and systems.
“By implementing the proposed mitigations, organizations can reduce the number of exploitation vectors into their CI/CD environments and create a challenging environment for the adversary to penetrate,” the agencies said.
The development also follows new findings from Censys that nearly 250 devices running on various U.S. government networks have exposed remote management interfaces on the open web, many of which run remote protocols such as SSH and TELNET.
“FCEB agencies are required to take action in compliance with BOD 23-02 within 14 days of identifying one of these devices, either by securing it according to Zero Trust Architecture concepts or removing the device from the public internet,” Censys researchers said.
Publicly accessible remote management interfaces have emerged as one of the most common avenues for attacks by nation-state hackers and cybercriminals, with the exploitation of remote desktop protocol (RDP) and VPNs becoming a preferred initial access technique over the past year, according to a new report from ReliaQuest.