MITRE, in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), has unveiled its annual list of the Top 25 most dangerous software weaknesses for 2023. These vulnerabilities pose serious risks to software systems, allowing attackers to gain control, steal data, or disrupt applications.
The list is derived from an analysis of public vulnerability data in the National Vulnerability Database (NVD), focusing on root cause mappings to Common Weakness Enumeration (CWE) weaknesses over the past two years. Out of 43,996 examined CVE entries, each vulnerability was assigned a score based on prevalence and severity.
Out-of-bounds Write takes the top spot on the list, followed by Cross-site Scripting, SQL Injection, Use After Free, OS Command Injection, and more. Notably, Out-of-bounds Write also ranked first in 2022. The report highlights that 70 vulnerabilities added to the Known Exploited Vulnerabilities catalog in 2021 and 2022 were related to Out-of-bounds Write bugs. However, the list also saw one weakness category, Improper Restriction of XML External Entity Reference, dropping off.
The analysis of vulnerability data enables organizations to make informed decisions regarding investment and policy in vulnerability management, according to the CWE research team.
In addition to software weaknesses, MITRE maintains a list of significant hardware weaknesses, aiming to educate designers and programmers on eliminating critical mistakes early in the product development lifecycle to prevent hardware security issues.
To strengthen Continuous Integration/Continuous Delivery (CI/CD) environments against cyber threats, CISA and the U.S. National Security Agency (NSA) have released recommendations and best practices. These include the implementation of robust cryptographic algorithms, minimizing the use of long-term credentials, adopting secure code signing, employing two-person rules (2PR) for code review, practicing the principle of least privilege (PoLP), implementing network segmentation, and conducting regular audits of accounts, secrets, and systems.
By implementing these mitigations, organizations can reduce the attack surface and create a challenging environment for adversaries.
Recent findings by Censys have also highlighted potential risks, revealing that nearly 250 devices on U.S. government networks have exposed remote management interfaces on the open web. These devices, many of which utilize remote protocols like SSH and TELNET, require immediate action from the relevant agencies to ensure compliance with Zero Trust Architecture concepts or to remove the devices from the public internet.
Staying vigilant and addressing the identified vulnerabilities and best practices can significantly enhance the security posture of organizations and protect their critical systems.
Commentaires