The fact that modern software contains bugs and vulnerabilities should not be a surprise to anyone. Most organizations’ cybersecurity strategy relies heavily upon installing patches for vulnerabilities once they are identified and readily available. However, in the space of possible vulnerabilities, not all are created equal. In a recent list, buffer overflow vulnerabilities have been labeled as the current most dangerous type of software vulnerability.
What is the CWE?
MITRE is one of the US government’s federally funded research and development centers (FFRDCs). One of MITRE’s areas of research focus is cybersecurity, and it is well-known for the MITRE ATT&CK framework, which provides detailed descriptions of the various means that an attacker could perform each stage of the cyberattack lifecycle.
Another of MITRE’s core roles is the operator of the Department of Homeland Security’s (DHS’s) Systems Engineering and Development Institute (SEDI). While MITRE continually maintains a list of common weakness enumerations (CWEs) that describe the various types of known weaknesses in computer systems (like buffer overflows or cross-site scripting), it also occasionally generates a list of the most dangerous CWEs. In 2019, the CWE Top 25 list was the first such list to be created in eight years.
Buffer Overflows Top CWE 2019
In the new list, the order of common weaknesses was dramatically different from previous lists. One of these changes was buffer overflows taking the top spot in the 2019 CWE Top 25 list.
A buffer overflow vulnerability occurs when a developer fails to correctly manage memory when handling user-controlled input. In many programming languages, like C and C++, a developer first allocates a chunk of memory of a given size (say 25 bytes) and then copies data into it (either from another memory location or standard input). As long as the copied data fits within the allocated buffer, everything is fine.
However, if the data is too large for the allocated buffer, things can go wrong. Some copy operators (like strcpy in C++) will continue copying until they reach a null terminator (used to delineate the end of a string). If the first null byte is beyond the bounds of the allocated buffer, the program will continue copying data into space not allocated to it, allowing an attacker to write to memory that should be outside of their control. Buffer overflow vulnerabilities are the basis of return-oriented programming (ROP), which uses them to run attacker-controlled code provided to a program as user input.
The interesting thing about buffer overflows topping the CWE list is that they are entirely preventable. In fact, in many programming languages, like Java, Python, and PHP, the programming language has buffer bounds checking built-in, meaning that it is not possible to have a buffer overflow vulnerability if only native code is used. Invulnerable languages, like C++, alternatives to strcpy exist, diminishing the probability of buffer overflow vulnerabilities.
The fact that many “modern” programming languages are immune to buffer overflow vulnerabilities implies that most vulnerable programs are not using them. Either affected programs are primarily using languages like C/C++ (in an insecure fashion) or the placement of buffer overflow vulnerabilities at the top of the CWE list is caused by the continued use of insecure legacy code.
Edging Out SQL Injection
While the move of buffer overflow vulnerabilities to the top of the CWE list is the most visible change from the 2011 Top 25 CWE list, it is far from the only one. The previous “top weakness”, SQL injection dropped to sixth in the 2019 list, and several new weaknesses entered the top five.
In general, the change in the top five weaknesses indicated a shift from specific types of vulnerabilities to more general security weaknesses. In the 2011 list, the top five were:
- SQL Injection
- OS Command Injection
- Buffer Overflow
- Cross-Site Scripting
- Missing Authentication
In the 2019 list, these were replaced by:
- Buffer Overflow
- Cross-Site Scripting
- Improper Input Validation
- Information Exposure
- Out-of-Bounds Read
While specific vulnerabilities like buffer overflows and cross-site scripting kept their places in the top five (and even moved up), improper input validation and information exposure are more general. Many specific vulnerabilities (including injection attacks like SQL and OS Command Injection) are failures to properly validate user input, so its inclusion in the top five many indicate that injection attacks in general (rather than a specific type in particular) are a major threat.
Making Web Apps Secure
The CWE Top 25 List is interesting since it provides some context regarding the vulnerabilities that are most common and most dangerous in the software currently being used today. Unfortunately, as this list and similar ones by OWASP demonstrate, most well-known vulnerabilities are not so much going away as jockeying for position. As demonstrated by the presence of buffer overflows at the top of the 2019 CWE list, even vulnerabilities for which there are built-in protections in many languages like buffer overflows can still have a significant impact on system security.
Since it seems unlikely that developers will suddenly learn to identify and remove these types of vulnerabilities from their code before it reaches production, it is necessary to deploy defenses to protect vulnerable code from exploitation. Especially for web applications, which are exposed to the public Internet and protect sensitive information, deploying a system capable of identifying and blocking potential exploits of these vulnerabilities, like a web application firewall (WAF), is essential for security.
