Common Weakness Enumeration (CWEs): Context is Everything

You are the weakest link. Hello.

“When you hear the sound of hooves, think horses, not zebras” is something many doctors are taught at medical school. Essentially, it means that, when you’re thinking about a diagnosis, consider the most likely possibility first. But not all diseases are horses, sometimes there’s a zebra in there, making trouble.

What does any of this have to do with weakness in code and vulnerability management?

Well, just like in medicine, there are times when, if you only look at the main symptoms, you’ll miss the disease. And if you focus your priorities and efforts completely on the MITRE Top 25, there’s a good chance you’ll miss the highly weaponized, less known weakness that is highly relevant to your specific systems. Until it finds you.

So what are these weaknesses and why should developers and defenders focus on them?

Understanding is the Key

Common Weakness Enumerations (CWEs) are weaknesses or inherent flaws in software design, implementation or operation that can be exploited by attackers. They’re the foundation for vulnerabilities (CVEs) within software systems, where a vulnerability is a specific instance of a weakness that can be exploited.

Understanding the nature of weakness is crucial for developing a proactive cybersecurity approach. Organizations that understand the root causes behind weaponized and exploited vulnerabilities can prioritize efforts to identify, mitigate and remediate weakness – before they are leveraged by attackers and become known as exploited vulnerabilities. This proactive approach helps minimize the risk of potential exploits, enhancing the overall security posture of software systems.

What kind of insights can we gain from this approach?

Securin’s analysts tracked 311,018 CVEs that, as of April 9 2024, have CWEs assigned to them. Here’s what we found:

Key Notes:

Almost a third of cybersecurity vulnerabilities (33.78%) lack identification of related weaknesses.
The all time list: 678 Weaknesses have vulnerabilities mapped to them across the all time list of vulnerabilities.
39 of the 678 Weaknesses are now Deprecated/Obsolete, with 14,256 CVEs mapped to them.

Meet the All-Stars: Breadth Analysis

In terms of weakness and vulnerabilities, there are some familiar faces in the Top 25, all of which can be mitigated through more secure coding practices. Despite high-profile attacks costing significant sums in fines and remediation costs, vulnerability to cross-site scripting (XSS) continues to be prevalent in web applications. But it’s not the only issue. Let’s take a look:

CWE-79 (Cross-site Scripting) tops the list with 30,820 CVEs mapped to it, highlighting the prevalent risk of XSS attacks in web applications.
CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-89 (SQL Injection) follow closely, indicating the significance of input validation and secure coding practices.
3 Weaknesses Categories: CWE-264: Permissions, Privileges, and Access Controls – 5487 CVEs, CWE-399: Resource Management Errors – 2718 CVEs
CWE-310: Cryptographic Issues – 2508 CVEs are present in Top 25, owing to the historical number of CVEs mapped to them even though their use is now prohibited since 2016.Something Old, Something New: Changes in Frequency Across DecadesWhen we analyze the frequency of weakness across three decades: 2000-2009, 2010-2019 and 2020-present, we observed some interesting trends:

The Has-Beens: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-264: Permissions, Privileges, and Access Controls, CWE-284: Improper Access Control have been on a diminishing trend.

What Can We Infer?

Despite widespread awareness of the threats, developers are constantly introducing XSS weaknesses (CWE-79) – at an increasing rate and in high volumes over time. To be fair, modern web applications are often complex, with numerous interconnected components and dependencies. Managing security in these environments can be challenging, increasing the likelihood of XSS vulnerabilities slipping through the cracks.

Here’s what else we noticed:

CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-787 (Out-of-bounds Write), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) CWE-125 (Out-of-bounds Read), and CWE-94 (Improper Control of Generation of Code, commonly referred to as Code Injection) are interconnected through their exploitation of memory-related vulnerabilities. They offer increased exploitation potential as specific instances where memory-related vulnerabilities can be exploited to gain unauthorized access to sensitive information, execute arbitrary code, or manipulate program behavior.
CWE-89, CWE-22 & CWE-20: Despite efforts to raise awareness about common vulnerabilities like SQL injection and path traversal, some developers may still lack a comprehensive understanding of secure coding practices and the potential risks associated with inadequate input validation and directory restrictions.

Depth Analysis: Going Beyond Frequency

Analyzing weaknesses not only by frequency but also from the threat perspective is crucial for understanding their true risk to software systems. Assessing their association with weaponized, APT or ransomware-exploited vulnerabilities offers insight into their potential impact. By examining the likelihood of a weakness being weaponized by threat actors, security professionals can prioritize mitigation efforts effectively, focusing on vulnerabilities posing the greatest threat and strengthening overall cybersecurity posture. Here’s what we observed when we analyzed the top weaknesses by weaponization.

Weaponization Affinity

High Weaponization Rates: CWE-98 (PHP Remote File Inclusion) has the highest weaponization rate at 72.97%, indicating a significant risk of exploitation. Other weaknesses with relatively high weaponization rates include CWE-89 (SQL Injection) at 38.19% and CWE-22 (Path Traversal) at 32.96%.
Common Attack Vectors: Vulnerabilities related to improper control of inputs, such as SQL injection (CWE-89) and code injection (CWE-94), continue to be prevalent and highly weaponized (28-38%), underscoring the importance of input validation and secure coding practices.
Web Application Security: Cross-site scripting (CWE-79) and cross-site request forgery (CWE-352) vulnerabilities remain common in web applications, with moderate weaponization rates. Proper input validation and output encoding are essential for mitigating these risks.
Privilege and Access Control: CWE-264 (Permissions, Privileges, and Access Controls) & CWE-287 (Improper Authentication) highlight the importance of robust access control mechanisms. Weaknesses in this area can lead to unauthorized access and privilege escalation attacks and have ~17% Weaponization.
Input Validation & Deserialization Vulnerabilities: CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), CWE-434: Unrestricted Upload of File with Dangerous Type, CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer & CWE-502: Deserialization of Untrusted Data have relatively high weaponization rates (18-24%), indicating the risk associated. Proper input validation and secure deserialization practices are essential for mitigating this risk.

Aligning Weaknesses with Exploit Types Through Vulnerability Associations

When we track vulnerabilities exploit types against the weaknesses associated with them, here’s what we found:

Remote Code Execution (RCE):

CWE-94 (Code Injection) and CWE-98 (PHP Remote File Inclusion) contribute significantly to RCE vulnerabilities, with high numbers of CVEs mapped to this exploit type.

Privilege Escalation:

CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) emerges as a major contributor to privilege escalation vulnerabilities, with a large number of CVEs mapped to this exploit type.

Denial of Service (DoS):

CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-94 (Code Injection) exhibit substantial contributions to DoS vulnerabilities, emphasizing the impact of memory-related and code execution weaknesses on system availability.

Web Application Vulnerabilities:

CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-79 (Cross-site Scripting) stand out as major contributors to web application vulnerabilities, with a large number of CVEs mapped to this exploit category.

The Weaknesses Fueling Threat Actor and Ransomware Eruptions

Our research reveals that 109 weaknesses are linked to vulnerabilities known to be exploited by ransomware and threat actor groups.

Exploitation Potential: Weaknesses like CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-20 (Improper Input Validation) provide significant opportunities for exploitation by threat actors. Memory-related vulnerabilities and insufficient input validation can lead to various attack vectors, making them attractive targets for ransomware and threat actors seeking to compromise systems.

Critical System Components: Weaknesses such as CWE-94 (Code Injection) and CWE-22 (Path Traversal) affect critical system components and functionalities. Exploiting these weaknesses can enable threat actors to execute arbitrary code or access sensitive data, making them valuable targets for ransomware attacks and other malicious activities.
Persistence and Impact: CWE-416 (Use After Free) and CWE-787 (Out-of-bounds Write) vulnerabilities can lead to persistent and impactful exploits. These weaknesses allow threat actors to maintain control over compromised systems or cause system crashes, amplifying their appeal for ransomware attacks and exploitation by threat actors.
Privilege Escalation: CWE-269 (Improper Privilege Management) and CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities enable privilege escalation and unauthorized access to system resources. Threat actors leverage these weaknesses to gain elevated privileges and expand their control over compromised systems, enhancing their ability to execute ransomware attacks and carry out other malicious activities.
Common Attack Vectors: Weaknesses like CWE-502 (Deserialization of Untrusted Data) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command) represent common attack vectors exploited by ransomware and threat actors. These weaknesses allow for remote code execution and command injection, facilitating unauthorized access and control over targeted systems.MITRE Top 25 TrendsKey Actions for Developers/DevSecOps PractitionersAs the developer’s role evolves into one where security is part of life, the ability to really understand the nature of weaknesses in code is crucial for proactive mitigation. The MITRE Top 25 on its own is no longer enough, especially when you’re looking for zebras. The more we dig into the data, the more we can see that frequency isn’t always the best indicator of threat – there are many weaknesses outside the Top 25 that are weaponized and being exploited. If you’re only looking at 25 symptoms, you’re not going to identify all of the diseases at the early warning stage.What can devs do?The Future of Code is Secure by DesignWhen we look at AI regulations and the new NIST 2.0 framework, what we’re seeing is an emphasis on proactive security. At Securin, that’s baked into everything we do with our customers. From attack surface validation to attack surface prioritization and beyond, we’re enabling a security by design approach, where weaknesses are identified and mitigated before they can become vulnerabilities. And if they’re already vulnerabilities, we mitigate them before they’re exploited.