当前位置:网站首页>CWE4.8 -- The 25 most damaging software security issues in 2022
CWE4.8 -- The 25 most damaging software security issues in 2022
2022-07-31 11:37:00 【HUAWEI CLOUD】
1. CWE 4.8的变化
2022It's been half a year,继《CWE 4.7中的新视图 – 工业控制系统的安全漏洞类别》 Not yet released2个月, 6Another version will be released at the end of the month – CWE4.8.As an important standard for software security research,我们来看下这个版本有那些变化.
变化类型 | Version 4.7 | Version 4.8 |
---|---|---|
弱点 | 926 | 927 |
分类 | 351 | 352 |
视图 | 47 | 48 |
废弃 | 62 | 62 |
汇总 | 1386 | 1389 |
- It can be seen from the summary table:
- 新增1个弱点:
Weakness-Base CWE-1386:Windows 连接点/Unsafe operation on mount point(Insecure Operation on Windows Junction / Mount Point); - 新增1个分类:
CWE CATEGORY: CWE-1388:Physical access issues(Physical Access Issues and Concerns) - 新增1个视图:
View CWE-1387:CWE Top 25 (2022)(Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses).
- 新增1个弱点:
下面我们来的看下具体弱点的变动.
1.1. CWE-1386:Windows 连接点/Unsafe operation on mount point
This is a new additionWindows的问题,具体位置如下图:
This new weakness is divided in CWE-664(Inappropriate control of resources during their lifecycle)下CWE-706(Using an incorrect resolved name or index), 以及CWE-59(Inappropriate link resolution before file access(Link to follow))The next sub-weakness.
在 Windows 中,NTFS5 Allows the file system to generate reparse points for objects(reparse points).
- 连接点: Applications can create hard links from one directory to another,称为连接点.
- 挂载点: Create a mapping from directories to drive letters,称为挂载点.
WindowsA file or directory can contain a reparse point,It is a collection of user-defined data.The programs that store them and the system filters that parse the data files recognize the format of the data. When an application sets a reparse point,It will add a unique reparse tag to identify the stored data when it saves the data.When a filesystem opens a file with a reparse point,First try to find the file system filter associated with the file format identified by the reparse point,If filesystem filter is found,The filter processes the file indicated by the reparse point data.If no filter is found,Then the operation to open the file fails.
CWE-1386是由于windowsWhen opening a file or directory,If the file or directory is associated with a junction or mount point outside the control of the target,could allow an attacker to make the software read、写入、Delete or otherwise operate on unauthorized files.
If a file is used by a privileged program,It can be replaced by a hard link to a sensitive file(例如,AUTOEXEC.BAT),The attacker can then escalate privileges.When a process opens a file,An attacker can impersonate the privileges of the process,Trick privileged processes into reading、Modify or delete sensitive files,Prevent programs from processing data accurately,Operations can also point to registries and semaphores.
例如:CVE-2021-26426,Privileged services allow attackers to use directory joins to delete unauthorized files,resulting in SYSTEM The identity executes arbitrary code.
1.2. CWE-1388:Physical access issues
This is a new hardware classification in hardware design,具体如下图.
老样子,Hardware issues are not my forte,Don't read too much.
2. CWE-1387:CWE Top 25 (2022)
距离2021年的《CWE发布2021年最危险的25种软件缺陷》Almost exactly a year.岁月如梭,光阴似箭,好快!Another year of lotus blossoms.
- 今年的排行榜
排行 | CWE | 得分 | KEV Count (CVEs) | 变动 |
---|---|---|---|---|
1 | CWE-787:Cross-boundary memory write | 64.2 | 62 | 0 |
2 | CWE-79:在WebInappropriate escaping of input during page generation(跨站脚本) | 45.97 | 2 | 0 |
3 | CWE-89:SQL命令中使用的特殊元素转义处理不恰当(SQL注入) | 22.11 | 7 | ![]() |
4 | CWE-20:Inappropriate input validation | 20.63 | 20 | 0 |
5 | CWE-125:Cross-boundary memory read | 17.67 | 1 | ![]() |
6 | CWE-78:OS命令中使用的特殊元素转义处理不恰当(OS命令注入) | 17.53 | 32 | ![]() |
7 | CWE-416:释放后使用 | 15.5 | 28 | 0 |
8 | CWE-22:Inappropriate restrictions on pathnames(路径遍历) | 14.08 | 19 | 0 |
9 | CWE-352:跨站请求伪造(CSRF) | 11.53 | 1 | 0 |
10 | CWE-434:Unrestricted upload of dangerous types of files | 9.56 | 6 | 0 |
11 | CWE-476:空指针解引用 | 7.15 | 0 | ![]() |
12 | CWE-502:不可信数据的反序列化 | 6.68 | 7 | ![]() |
13 | CWE-190:Integer overflow or out-of-bounds wraparound | 6.53 | 2 | ![]() |
14 | CWE-287:The authentication mechanism is inappropriate | 6.35 | 4 | 0 |
15 | CWE-798:Use hardcoded credentials | 5.66 | 0 | ![]() |
16 | CWE-862:授权机制缺失 | 5.53 | 1 | ![]() |
17 | CWE-77:在命令中使用的特殊元素转义处理不恰当(命令注入) | 5.42 | 5 | ![]() |
18 | CWE-306:关键功能的认证机制缺失 | 5.15 | 6 | ![]() |
19 | CWE-119:内存缓冲区边界内操作的限制不恰当 | 4.85 | 6 | ![]() |
20 | CWE-276:The default permissions are incorrect | 4.84 | 0 | ![]() |
21 | CWE-918:服务端请求伪造(SSRF) | 4.27 | 8 | ![]() |
22 | CWE-362:Improper synchronization of concurrent executions using shared resources(竞争条件) | 3.57 | 6 | ![]() |
23 | CWE-400:未加控制的资源消耗(资源耗尽) | 3.56 | 2 | ![]() |
24 | CWE-611:XMLInappropriate restrictions on external entity references(XXE) | 3.38 | 0 | ![]() |
25 | CWE-94:对生成代码的控制不恰当(代码注入) | 3.32 | 4 | ![]() |
This ranking isCWE的团队,According to the National Institute of Standards and Technology (National Institute of Standards and Technology(NIST))的 国家漏洞库(National Vulnerability Database(NVD)) 记录的披露漏洞(Common Vulnerabilities and Exposures(CVE)), and the Cybersecurity and Infrastructure Security Agency (Cybersecurity and Infrastructure Security Agency(CISA))的Directory of known disclosed vulnerabilities(Known Exploited Vulnerabilities (KEV)), 通过通用缺陷评分系统(Common Vulnerability Scoring System (CVSS))Score each defect.Ranked statistics2020 到 2021年的37,899 个CVE,And through a formula for the incidence and severity of the problem,Finally get the rank of the question.具体算法可参考《话说CWE 4.2的新视图》.
2.1. Ranking changes
The specific changes are as follows:
The fastest rising list:
- CWE-362:Improper synchronization of concurrent executions using shared resources(竞争条件): 从 33 上升到 22;
- CWE-94:对生成代码的控制不恰当(代码注入): 从 28 上升到 25;
- CWE-400:未加控制的资源消耗(资源穷尽): 从 27 上升到 23;
- CWE-77:在命令中使用的特殊元素转义处理不恰当(命令注入)): 从25 上升到 17;
- CWE-476:空指针解引用: 从 15 上升到 11.
The fastest declining list:
- CWE-306:关键功能的认证机制缺失: 从 11 下降到 18;
- CWE-200:信息泄露: 从 20 下降到 33;
- CWE-522:Inadequate credential protection mechanisms: 从 21 下降到 38;
- CWE-732:Incorrect permission grant for critical resources: 从 22 下降到 30.
新进前25的有:
- CWE-362:Improper synchronization of concurrent executions using shared resources(竞争条件): 从 33 上升到 22;
- CWE-94:对生成代码的控制不恰当(代码注入): 从 28 上升到 25;
- CWE-400:未加控制的资源消耗(资源穷尽): 从 27 上升到 23;
跌出前25的有:
- CWE-200:信息泄露: 从 20 下降到 33;
- CWE-522:Inadequate credential protection mechanisms: 从 21 下降到 38;
- CWE-732:Incorrect permission grant for critical resources: 从 22 下降到 30.
2.2. TOP 25score details
排名 | CWE | NVD计数 | Avg CVSS | 总分 |
---|---|---|---|---|
1 | CWE-787:Cross-boundary memory write | 4123 | 7.93 | 64.2 |
2 | CWE-79:在WebInappropriate escaping of input during page generation(跨站脚本) | 4740 | 5.73 | 45.97 |
3 | CWE-89:SQL命令中使用的特殊元素转义处理不恰当(SQL注入) | 1263 | 8.66 | 22.11 |
4 | CWE-20:Inappropriate input validation | 1520 | 7.19 | 20.63 |
5 | CWE-125:Cross-boundary memory read | 1489 | 6.54 | 17.67 |
6 | CWE-78:OS命令中使用的特殊元素转义处理不恰当(OS命令注入) | 999 | 8.67 | 17.53 |
7 | CWE-416:释放后使用 | 1021 | 7.79 | 15.5 |
8 | CWE-22:Inappropriate restrictions on pathnames(路径遍历) | 1010 | 7.32 | 14.08 |
9 | CWE-352:跨站请求伪造(CSRF) | 847 | 7.2 | 11.53 |
10 | CWE-434:Unrestricted upload of dangerous types of files | 551 | 8.61 | 9.56 |
11 | CWE-476:空指针解引用 | 611 | 6.49 | 7.15 |
12 | CWE-502:不可信数据的反序列化 | 378 | 8.73 | 6.68 |
13 | CWE-190:Integer overflow or out-of-bounds wraparound | 452 | 7.52 | 6.53 |
14 | CWE-287:The authentication mechanism is inappropriate | 412 | 7.88 | 6.35 |
15 | CWE-798:Use hardcoded credentials | 333 | 8.48 | 5.66 |
16 | CWE-862:授权机制缺失 | 468 | 6.53 | 5.53 |
17 | CWE-77:在命令中使用的特殊元素转义处理不恰当(命令注入) | 325 | 8.36 | 5.42 |
18 | CWE-306:关键功能的认证机制缺失 | 328 | 8 | 5.15 |
19 | CWE-119:内存缓冲区边界内操作的限制不恰当 | 323 | 7.73 | 4.85 |
20 | CWE-276:The default permissions are incorrect | 368 | 7.04 | 4.84 |
21 | CWE-918:服务端请求伪造(SSRF) | 317 | 7.16 | 4.27 |
22 | CWE-362:Improper synchronization of concurrent executions using shared resources(竞争条件) | 301 | 6.56 | 3.57 |
23 | CWE-400:未加控制的资源消耗(资源耗尽) | 277 | 6.93 | 3.56 |
24 | CWE-611:XMLInappropriate restrictions on external entity references(XXE) | 232 | 7.58 | 3.38 |
25 | CWE-94:对生成代码的控制不恰当(代码注入) | 192 | 8.6 | 3.32 |
2.3. Ranking improvements
In order to better let people understand the characteristics of each defect,on the defect mapping,Try to map to more fine-grained defect enumeration types,比如base、Variant、Compound,This helps to solve the problem from a more fine-grained level.所以TOP 25中的CWEThe type is gradually moving away from the pillars(pillar)、类(Class) Enumerate types to finer strength defectsbase、Variant、Compoundover.
比如:
- Class/Pillar 从2020年的36%,降到现在的28%;
- Class 从2019年的43%,降到现在的16%;
- Base/Var/Comp 从2019年的 57%上升到84%.
Year | 2019 | % | 2020 | % | 2021 | % | 2022 | % |
---|---|---|---|---|---|---|---|---|
Unique Class/Pillar CWEs | 7 | 28% | 9 | 36% | 8 | 32% | 7 | 28% |
Unique Base/Variant/Compound CWEs | 18 | 72% | 16 | 64% | 17 | 68% | 18 | 72% |
Mappings to Class | 9548 | 43% | 6450 | 30% | 3058 | 17% | 3626 | 16% |
Mappings to Base/Var/Comp | 12411 | 57% | 14772 | 70% | 14839 | 83% | 19254 | 84% |
Total Maps with Top 25 CWEs | 21959 | 0% | 21222 | 0% | 17897 | 0% | 22880 | 0% |
Maps to All CWEs | 26341 | 0% | 27168 | 0% | 24282 | 0% | 30681 | 0% |
Maps to Bases | 10919 | 50% | 12988 | 61% | 13291 | 74% | 17386 | 76% |
Maps to Variants | 799 | 4% | 918 | 4% | 807 | 5% | 1021 | 4% |
Maps to Compounds | 693 | 3% | 866 | 4% | 741 | 4% | 847 | 4% |
- 注:CWESee the enumeration type for details:《话说CWE 4.2的新视图》.
3. 结论
- 缓冲区溢出
- Problems caused by external input and
4. 参考
边栏推荐
- xmind使用指南(XMind具有下列哪些功能)
- 准确率(Accuracy)、精度(Precision)、召回率(Recall)和 mAP 的图解
- 《MySQL高级篇》五、InnoDB数据存储结构
- MySQL row-level locks (row locks, adjacent key locks, gap locks)
- 《MySQL高级篇》四、索引的存储结构
- SAP Commerce Cloud Product Review 的添加逻辑
- 一文带你了解redux的工作流程——actionreducerstore
- LeetCode 1161.最大层内元素和:层序遍历
- ApiPost is really fragrant and powerful, it's time to throw away Postman and Swagger
- Docker installs canal and mysql for simple testing and achieves cache consistency between redis and mysql
猜你喜欢
安装MYSQL遇到问题:write configuration file卡主
ApiPost is really fragrant and powerful, it's time to throw away Postman and Swagger
IDEA configure method annotation automatic parameters
学习爬虫之Scrapy框架学习(1)---Scrapy框架初学习及豆瓣top250电影信息获取的实战!
502 bad gateway原因、解决方法
一、excel转pdf格式jacob.jar
DCM 中间件家族迎来新成员
redis-enterprise use
IDEA 配置方法注释自动参数
MySql模糊查询大全
随机推荐
便利贴--46{基于移动端长页中分页加载逻辑封装}
St. Regis Takeaway Project: New dishes and dishes paged query
Detailed tutorial on distributed transaction Seata
在 Excel 里使用 ODBC 读取 SAP BTP 平台上 CDS view 的数据
在 Excel 内使用 ODBC 消费 SAP ABAP CDS view
Use jOOQ to write vendor-agnostic SQL with JPA's native query or @Formula.
《MySQL高级篇》四、索引的存储结构
musl Reference Manual
Obsidian设置图床
无法将“node.exe”项识别为 cmdlet、函数、脚本文件或可运行程序的名称。
Unix知识:shell详细解读
IDEA 配置方法注释自动参数
Redis - Basics
Yarn安装配置(vsftpd安装配置)
Docker实践经验:Docker 上部署 mysql8 主从复制
2022/7/30
Use ODBC in Excel to read data from CDS view on SAP BTP platform
准确率(Accuracy)、精度(Precision)、召回率(Recall)和 mAP 的图解
PyQt5快速开发与实战 9.5 PyQtGraph在PyQt中的应用 && 9.6 Plotly在PyQt中的应用
三六零与公安部三所发布报告:关基设施保护成为网络安全博弈关键