Blog Blog

Detecting the Top 25 CWEs with EASM

Top 25 CWEs

Everything happens for a reason. For most vulnerabilities on the Common Vulnerabilities and Exposures (CVE) list, the reason can be a security weakness typically found on the Common Weakness Enumeration (CWE) list.  In fact, research shows that 73% of CVEs are linked to CWEs.

This connection is significant since half of the items on the CVE-CWE mapping have a Common Vulnerability Scoring System (CVSS) score. A CVSS score implies that a CVE mapped to a CWE is exploitable at a certain severity level.

Therefore, proactively detecting and mitigating CWEs is a critical cybersecurity process, especially in light of zero-day attacks. However, with more than 600 CWE categories, identifying all weaknesses may take a lot of work. That is where the MITRE CWE Top 25 list comes in. The list helps security teams focus on the most dangerous software weaknesses.

What Is the CWE Top 25?

The CWE Top 25 is the MITRE Corporation’s list of the most common and dangerous software weaknesses. These weaknesses are often the root cause of exploitable vulnerabilities that attackers can leverage, so detecting the CWEs can help prevent vulnerability exploitation and other potential cyber attacks.

The list is updated yearly based on an analysis of publicly disclosed vulnerabilities to reflect the evolving threat landscape. However, MITRE found 15 “stubborn weaknesses” that have been present on the list each year from 2019 to 2023.

All the weaknesses in the CWE Top 25 have several observed CVEs, highlighting how exploitable and dangerous they are. In fact, 20 CWEs on the list can be considered high-priority since they have CVEs appearing in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. CISA recommends that organizations use the KEV catalog as an input to their vulnerability prioritization frameworks.

How Can Organizations Detect the CWE Top 25?

CWEs and their mapped CVEs can be detected by external attack surface management (EASM) solutions with advanced vulnerability scanning capabilities. Some examples of the CWE Top 25 that EASM platforms can detect and help address are listed below.

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer 

CWE-119 refers to a software weakness that arises when a program doesn’t properly manage the boundaries of memory buffers. These buffers are allocated sections of memory that applications use to store temporary data. When operations (e.g., reading or writing) are not restricted within the intended bounds of a buffer, it can lead to security vulnerabilities and unexpected program behaviors.

One of the recently observed examples of this CWE is CVE-2021-22991, a vulnerability affecting specific versions of F5 BIG-IP, a widely used traffic management platform to optimize and secure the delivery of applications and data across networks. Requests made to a virtual server can be incorrectly handled, causing the operation to go beyond the buffer. When exploited, this vulnerability can result in a denial-of-service (DoS) attack.

CWE-78: Improper Neutralization of Special Elements Used in an OS Command (“OS Command Injection”)

CWE-78 is a program weakness that allows attackers to execute commands directly on the operating system (OS). It can occur when the program allows user inputs to construct OS commands without proper validation or sanitization.

In one study, researchers found an OS command injection vulnerability in Tenda AC15 and AC1900 Wi-Fi routers with firmware version 15.03.05.19 that could allow attackers to take complete control of a router, giving them unrestricted access to the entire network and its data traffic. They can do so by exploiting the goform/setUsbUnload endpoint and manipulating the deviceName POST parameter. According to the CISA KEV, the vulnerability (CVE-2020-10987) has already been exploited in the wild.

CWE-287: Improper Authentication

Software with vulnerabilities tied to CWE-287 can allow attackers to bypass authentication and gain access to sensitive data.

CWE-287 is the root cause of CVE-2022-35248, a vulnerability found in earlier versions of Rocket.Chat that removed the requirement for two-factor authentication (2FA). Rocket.Chat is an open-source communications platform designed to focus on security and data privacy for organizations. Successful exploitation may allow an attacker to gain access to a Rocket.Chat user account, potentially compromising sensitive information or disrupting communication channels.

CWE-434: Unrestricted Upload of File with Dangerous Type

With CWE-434, threat actors can upload or transfer malicious files onto a vulnerable program, possibly leading to arbitrary code execution if the program executes the file.

GitHub repository thorsten/phpmyfaq suffered from such a vulnerability (CVE-2023-5227) in the past due to lack of proper restrictions on file uploads within the phpmyfaq application. The vulnerability can enable attackers to insert malicious code into uploaded files and redirect users to malicious websites.

CWE-362: Concurrent Execution Using Shared Resources with Improper Synchronization (“Race Condition”)

Race conditions arise when different parts of a program try to access and modify the same data simultaneously. This issue can be especially dangerous in security-critical code like those that verify user logins or manage sensitive information. These critical sections typically rely on assumptions of exclusive access and indivisible execution for the shared data. However, a race condition creates a window where another part of the code (trusted or malicious) can interfere with a critical section, potentially leading to unexpected behaviors and security vulnerabilities.

A vulnerability in Apple’s iOS kernel dubbed “CVE-2021-1782” connected to CWE-362 may have been exploited in the wild. This already-fixed vulnerability potentially enabled attackers to gain unauthorized privileges on affected devices.

Conclusion

Several successful cyber attacks can be traced back to a fundamental weakness in the targeted system or its assets. These weaknesses, categorized as CWEs, represent the root causes of vulnerabilities that attackers can exploit to gain a foothold.

Proactive cybersecurity strategies entail nipping the problem in the bud by detecting and mitigating weaknesses, such as those in the Top CWE 25. However, it’s important to remember that every organization uses a unique collection of software and assets, which means they’ll have their own specific set of CWEs and CVEs to pay attention to. That requires a tailored approach to vulnerability management and EASM in general.

Check your assets for the CWE Top 25 and other security issues. Kick off your 30-day free trial with Attaxion today.