It's 2023 and memory overwrite bugs are not just a thing, they're still number one

Trending 2 months ago

The astir vulnerable type of package bug is nan out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes successful nan US government's database of known vulnerabilities that are nether progressive onslaught and request to beryllium patched, we note.

Out-of-bounds write, sometimes branded CWE-787, besides took nan apical spot successful 2022, showing a chopped deficiency of improvement.

An out-of-bounds constitute happens erstwhile package (and sometimes hardware) alters representation it's not expected to, specified arsenic by penning information to a representation buffer and overshooting nan extremity of that buffer, causing it to unexpectedly alteration different variables and accusation and/or conscionable crash. That benignant of bug tin beryllium triggered accidentally done normal operation, aliases it tin beryllium triggered deliberately by utilization code.

Typically, utilization codification will induce an out-of-bounds constitute to change information structures truthful that nan travel of execution is hijacked and diverted successful a measurement nan attacker chooses, allowing them to return power of nan software, beryllium it an application, a distant service, aliases portion of an operating system. Ideally, package should beryllium written to forestall this benignant of overwrite, and utilizing memory-safe languages for illustration Rust can thief here.

Number 2 connected MITRE's database is nan little analyzable but still annoying cross-site scripting bug (CWE-79), which was cardinal successful 4 CVEs successful nan known exploited vulnerabilities catalog maintained by Uncle Sam's CISA. This bug type is simply a fancy shape of a nonaccomplishment to sanitize personification input.

Number 3 — SQL injection flaws (CWE-89) — relationship for 4 known exploited bugs successful nan CISA catalog. Again, different shape of input sanitization failure. Clean and neutralize your inputs, people. You can't presume each your users are nice.

MITRE compiles nan yearly CWE Top 25 list by analyzing nationalist vulnerability information successful America's National Vulnerability Database. This year's database is based connected 43,996 CVE records for vulnerabilities successful 2021 and 2022, and was issued successful manus pinch US Homeland Security and CISA.

"These weaknesses lead to superior vulnerabilities successful software," nan cybersecurity agency warned today. "An attacker tin often utilization these vulnerabilities to return power of an affected system, bargain data, aliases forestall applications from working." 

In fact, nan apical 3 astir vulnerable package weaknesses for 2023 were besides nan astir dangerous, and successful nan aforesaid order, successful nan 2022 list. Progress is slow, it seems.

Time to get patching

Also today, CISA added 8 much flaws to its Known Exploited Vulnerabilities Catalog. These impact D-Link and Samsung devices and they are tracked as:

  • CVSS 9.8 — CVE-2019-17621 D-Link DIR-859 router contains a bid execution vulnerability.
  • CVSS 7.8 — CVE-2019-20500 D-Link DWL-2600AP entree points are susceptible to bid injection attacks.
  • CVSS 7.8 — CVE-2021-25487 Samsung mobile devices are susceptible to out-of-bounds read. 
  • CVSS 5.5 — CVE-2021-25489 Samsung mobile devices incorporate an improper input validation flaw.
  • CVSS 6.4 — CVE-2021-25394 Samsung mobile devices are susceptible to a title information vulnerability.
  • CVSS 9.0 — CVE-2021-25395 different title information bug successful Samsung mobile devices, but this one's critical. 
  • CVSS 6.7 — CVE-2021-25371 an unspecified flaw successful Samsung mobile devices.
  • CVSS 6.7 — CVE-2021-25372 Samsung mobile devices incorporate an improper bound cheque vulnerability.

Number four, however, was 1 of nan "biggest movers" connected nan list, jumping from nan seventh spot past twelvemonth to nan fourth-ranked astir vulnerable rumor this year. It's CWE-416, aliases use-after-free. This type of exploitable bug is erstwhile a program, distant service, aliases operating strategy constituent releases representation that's nary longer needed, and past continues to usage it anyway. At that point, it's relying connected representation that could be, say, manipulated by immoderate different code, and tin lead to crashes aliases hijacking of execution.

Again, memory-safe languages are useful present arsenic they absurd distant this fiddly representation management, aliases guarantee insecure representation usage is blocked.

Some of nan different biggest movers up nan list, according to MITRE, see CWE-862, which covers missing authorization bugs. This weakness jumped from sixteenth position past twelvemonth to number 11 successful 2023.  

Additionally, CWE-269 (improper privilege management) moved up 7 places to 22 connected nan list, and CWE-863 (incorrect authorization) went from roseate 4 ranks to number 24.

  • A (cautionary) communicative of 2 patched bugs, some exploited successful nan wild
  • Apple squashes kernel bug utilized by TriangleDB spyware
  • Third MOVEit bug fixed a time aft PoC utilization made public
  • June Patch Tuesday: VMware vuln nether onslaught by Chinese spies, Microsoft kinda meh

There's besides a mates caller entries to this year's list: CWE-269 (improper privilege management), successful 22nd place, and CWE-863 (incorrect authorization) arsenic a newcomer successful 24th.

"CWEs are becoming much and much prevalent successful vulnerability vulnerability conversations arsenic nan organization looks to debar nan guidelines causes that tin go vulnerabilities," according to MITRE. 

To this end, nan nonprofit will people a bid of reports complete nan adjacent fewer months that purpose to thief organizations "more effectively" usage nan Top 25 list. These will screen a scope of topics including weaknesses that didn't rather make nan Top 25 — but orgs should still beryllium alert of them. 

It will besides people a study connected trends successful CWEs complete nan past 4 years, and a study connected actively exploited weaknesses based connected CISA's catalog.  ®