Buffer Flaws & Cross-Site Scripting Named Most Dangerous Software Errors
MITRE recently published the 2019 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors, naming buffer flaws and cross-site scripting as the top software errors which according to the organization could lead to serious vulnerabilities in software.
MITRE based its CWE Top 25 Most Dangerous Software Errorson Common Vulnerabilities and Exposures (CVE)and National Vulnerability Database (NVD)data. MITRE is the organization that started the CVE list.
Publicly disclosed software security vulnerabilities are given a corresponding CVE identification number for future reference. NVD, which is managed by the U.S. National Institute of Standards and Technology (NIST), obtains data from CVE such that any updates to CVE appear immediately on the NVD. The NVD supplements CVE data with additional analysis and data to provide more information about vulnerabilities. The 2019 CWE Top 25 used NVD data from the years 2017 and 2018, which comprised of approximately 25,000 CVEs.
“The CWE Top 25 is a community resource that can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry,” MITRE said.
MITRE noted that the 2019 list only covers publicly known software security vulnerabilities that were publicly reported and captured in NVD. Numerous software vulnerabilities, therefore, without CVE IDs are excluded from the list, such as those found and fixed before any software has been publicly released or known only to the software maker.
2019 CWE Top 2 Most Dangerous Software Errors
Here are the top 2 most dangerous software errors based on MITRE’s list:
1. Buffer Flaws
Buffer flaws, categorized as “Improper Restriction of Operations within the Bounds of a Memory Buffer” topped the list. Buffer flaws allow reading from or writing to a memory location that’s outside of the intended boundary of the buffer. An attacker who exploits the memory buffer flaws could execute arbitrary code, alter the intended control flow, read sensitive information or cause the system to crash.
An example of a memory buffer flaw is CVE-2019-1212which affects Windows Server 2019, Windows Server version 1803, Windows Server version 1903, Windows Server 2016, Windows Server 2012, Windows Server 2008, Windows 10, Windows 8.1 and Windows 7. According to Microsoft, CVE-2019-1212 vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. On August 13, 2019, Microsoft issued a security advisory and released a patch fixing this security vulnerability.
“An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding,” Microsoft said. “To exploit the vulnerability, a remote unauthenticated attacker could send a specially crafted packet to an affected DHCP server.”
2. Cross-Site Scripting
Cross-site scripting, also known as “Improper Neutralization of Input During Web Page Generation” ranks as the 2nd most dangerous software error. Cross-site scripting vulnerabilities occur when untrusted data enters a web application; web application generates a web page that contains this untrusted data; during web page generation, the web application doesn’t prevent the data from containing content that’s executable by a web browser; and a victim visits the generated web page via a web browser, which contains malicious script – a computer language which contains a list of commands executed by certain programs like a browser – that was injected using the untrusted data.
In March 2017, WordPressannounced that versions 4.7.2 and earlier versions were affected by these 3 vulnerabilities: cross-site scripting via media file metadata, cross-site scripting via video URL in YouTube embeds and cross-site scripting via taxonomy term names. WordPress patched these cross-site scripting vulnerabilities via WordPress 4.7.3 and encouraged website owners to update to this version.
Cross-site scripting becomes even more dangerous when used with another form of cyberattack: watering hole attacks. In watering hole attacks, intermediary targets such as websites vulnerable to cross-site scripting are compromised in order to gain access to the ultimate targets such as the website visitors. In compromising a vulnerable website for a watering hole attack, a malicious actor injects malicious script into the vulnerable website, enabling a victim’s browser to execute the malicious script while loading the web page.
Prevention and Mitigating Measures Against Buffer Flaws and Cross-Site Scripting
Keeping all your organization’s software up to date is one way to prevent buffer flaws and cross-site scripting. The above-mentioned examples of buffer flaws and cross-site scripting vulnerabilities had been patched by their software makers. To protect your organization against these type of attacks, it’s, therefore, important to keep all software up to date.
Specific to buffer flaws or “ Improper Restriction of Operations within the Bounds of a Memory Buffer”, MITRE recommends the following mitigating measures when allocating and managing an application’s memory:
. “ Double check that your buffer is as large as you specify.
. “ When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
. “ Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space.
. “If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.”
Specific to cross-site scripting or “ Improper Neutralization of Input During Web Page Generation”, one way to mitigate the negative effects of this vulnerability is by using an application firewall that can detect attacks against this vulnerability. A firewall is beneficial in case the vulnerability can’t be fixed immediately, for instance, when the software is controlled by a third party which hasn’t yet released a patch to fix the vulnerability.
An application firewall, however, might not be able to protect your organization from all possible attack points. “In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs,” MITRE said. “Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests.”
Whether you develop software in house, use an outside firm, or simply relying on off the shelf software to run your business, your team must ensure that the code is flaw-free.
Connect with our IT and security experts today and start with the assessment that will uncover the flaws and minimize the likelihood of a disastrous data breach.
Call (416) 920-3000 or email us at firstname.lastname@example.org