Common Weakness Enumeration (CWE) is a list or dictionary of common software weaknesses. Red Hat has adopted CWE as a common language for describing and
classifying vulnerabilities, used as a base for evaluation and prevention of weaknesses. Results of classifications are reviewed periodically and are used to direct our efforts in strengthening security of development practices, tools, assessment services, education programs and documentation.
As a part of this effort Red Hat Customer Portal has attained CWE compatibility after review from MITRE Corporation. CWE IDs are currently assigned to high risk vulnerabilities in Red Hat products. This classification is available through CVE database and CWE coverage of Customer Portal is maintained with carefully selected subset of CWE identifiers to provide good abstraction of weaknesses useful for developers and security engineers. Statistics derived from the available data can be also used by
open source community to better understand security challenges of developing open source software. More information is available at CWE Compatibility for Red Hat Customer Portal and previous blog posts.
Statistics for the previous year are based on 37 identified and classified vulnerabilities. Graph below shows top 5 overall weaknesses (as assigned, including chains) with number of their occurrences.
Top overall weaknesses in 2013
CWE-502 Deserialization of Untrusted Data is at the top with a total of nine occurrences. Closer investigation shows that root cause of six of them is a vulnerability found in Ruby on Rails first identified in January last year. Recurring theme was use of YAML.load to deserialize user-controlled content. YAML standard supports user-defined data types and allows convenient way to serialize and deserialize Ruby objects, which makes it popular choice in many Ruby-based projects.
This weakness gives attacker ability to instantiate objects and could be, depending on the application, exploitable in several ways, including DoS attacks, SQL injections and arbitrary code execution. Eliminating this weakness by identification of code paths that allow attacker to supply content to YAML.load might prove difficult. In this case several gems were found vulnerable and dropped YAML support, and even one of the JSON parsing engines available in ActiveSupport was using YAML.load and therefore exploitable.
Recommended steps to prevent weaknesses such as this one is to use defensive approach from the early stages of development. User-controlled inputs should be handled carefully and filtered using whitelist approach of specifying "known-good" inputs rather than blacklisting malicious ones.
CWE-428 Unquoted Search Path or Element weakness has been found four times in virtualization solutions and affected Windows platform. Use of unquoted delimeters in file and folder names may provide attacker with access to the file system to execute program with privileges of vulnerable application. It depends heavily on the underlying system and even though Linux platforms are not entirely proof, it is more pervasive on Windows operating systems.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') together with CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') and CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') remain top weaknesses in applications with web interface (see OWASP Top 10 2013).
CWE uses term primary weakness to describe the root cause - initial weakness that can create conditions necessary to cause another weakness. Resultant weakness is only exposed after previous weakness in chain has been exploited.
Top 5 resultant weaknesses in 2013
Number one resultant weakness in 2013 was CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer, or just Buffer Error. This is a more abstract type of weakness and covers several more specific weakness bases. As this is one of the more studied problems in software security, automated tools that allow detection of problems early in development life cycle are available. Despite four occurrences, ratio of buffer related vulnerabilities has significantly dropped compared to previous years. In 2012 eight out of twenty-two vulnerabilities were related to CWE-199 weakness and fifteen out of twenty-eight in 2011.
Classification of vulnerabilities using CWE provides a good feedback on effectiveness of already implemented security practices and gives us better insight into nature of vulnerabilities found in our software. In future Red Hat will continue assigning CWE identifiers to critical vulnerabilities and consider extending the efforts to include vulnerabilities with lower impact.