It's 2023 and memory overwrite bugs are not just a thing, they're still number one
Cough, cough, use Rust. Plus: Eight more exploited bugs added to CISA's must-patch list
The most dangerous type of software bug is the out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes in the US government's list of known vulnerabilities that are under active attack and need to be patched, we note.
Out-of-bounds write, sometimes labeled CWE-787, also took the top spot in 2022, showing a distinct lack of improvement.
An out-of-bounds write happens when software (and sometimes hardware) alters memory it's not supposed to, such as by writing data to a memory buffer and overshooting the end of that buffer, causing it to unexpectedly change other variables and information and/or just crash. That kind of bug can be triggered accidentally through normal operation, or it can be triggered deliberately by exploit code.
Typically, exploit code will induce an out-of-bounds write to alter data structures so that the flow of execution is hijacked and diverted in a way the attacker chooses, allowing them to take control of the software, be it an application, a remote service, or part of an operating system. Ideally, software should be written to prevent this kind of overwrite, and using memory-safe languages like Rust can help here.
Number two on MITRE's list is the less complex but still annoying cross-site scripting bug (CWE-79), which was key in four CVEs in the known exploited vulnerabilities catalog maintained by Uncle Sam's CISA. This bug type is a fancy form of a failure to sanitize user input.
Number three — SQL injection flaws (CWE-89) — account for four known exploited bugs in the CISA catalog. Again, another form of input sanitization failure. Clean and neutralize your inputs, people. You can't assume all your users are nice.
MITRE compiles the annual CWE Top 25 list by analyzing public vulnerability data in America's National Vulnerability Database. This year's list is based on 43,996 CVE records for vulnerabilities in 2021 and 2022, and was issued in hand with US Homeland Security and CISA.
"These weaknesses lead to serious vulnerabilities in software," the cybersecurity agency warned today. "An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working."
In fact, the top three most dangerous software weaknesses for 2023 were also the most dangerous, and in the same order, in the 2022 list. Progress is slow, it seems.
Time to get patching
Also today, CISA added eight more flaws to its Known Exploited Vulnerabilities Catalog. These affect D-Link and Samsung devices and they are tracked as:
- CVSS 9.8 — CVE-2019-17621 D-Link DIR-859 router contains a command execution vulnerability.
- CVSS 7.8 — CVE-2019-20500 D-Link DWL-2600AP access points are vulnerable to command injection attacks.
- CVSS 7.8 — CVE-2021-25487 Samsung mobile devices are vulnerable to out-of-bounds read.
- CVSS 5.5 — CVE-2021-25489 Samsung mobile devices contain an improper input validation flaw.
- CVSS 6.4 — CVE-2021-25394 Samsung mobile devices are susceptible to a race condition vulnerability.
- CVSS 9.0 — CVE-2021-25395 another race condition bug in Samsung mobile devices, but this one's critical.
- CVSS 6.7 — CVE-2021-25371 an unspecified flaw in Samsung mobile devices.
- CVSS 6.7 — CVE-2021-25372 Samsung mobile devices contain an improper boundary check vulnerability.
Number four, however, was one of the "biggest movers" on the list, jumping from the seventh spot last year to the fourth-ranked most dangerous issue this year. It's CWE-416, or use-after-free. This type of exploitable bug is when a program, remote service, or operating system component releases memory that's no longer needed, and then continues to use it anyway. At that point, it's relying on memory that could be, say, manipulated by some other code, and can lead to crashes or hijacking of execution.
Again, memory-safe languages are useful here as they abstract away this fiddly memory management, or ensure insecure memory use is blocked.
Some of the other biggest movers up the list, according to MITRE, include CWE-862, which covers missing authorization bugs. This weakness jumped from sixteenth position last year to number 11 in 2023.
- A (cautionary) tale of two patched bugs, both exploited in the wild
- Apple squashes kernel bug used by TriangleDB spyware
- Third MOVEit bug fixed a day after PoC exploit made public
- June Patch Tuesday: VMware vuln under attack by Chinese spies, Microsoft kinda meh
"CWEs are becoming more and more prevalent in vulnerability exposure conversations as the community looks to avoid the root causes that can become vulnerabilities," according to MITRE.
To this end, the nonprofit will publish a series of reports over the next few months that aim to help organizations "more effectively" use the Top 25 list. These will cover a range of topics including weaknesses that didn't quite make the Top 25 — but orgs should still be aware of them.
It will also publish a report on trends in CWEs over the last four years, and a report on actively exploited weaknesses based on CISA's catalog. ®