当前位置:网站首页>CWE4.8 -- The 25 most damaging software security issues in 2022
CWE4.8 -- The 25 most damaging software security issues in 2022
2022-07-31 11:37:00 【HUAWEI CLOUD】
1. CWE 4.8的变化
2022It's been half a year,继《CWE 4.7中的新视图 – 工业控制系统的安全漏洞类别》 Not yet released2个月, 6Another version will be released at the end of the month – CWE4.8.As an important standard for software security research,我们来看下这个版本有那些变化.
变化类型 | Version 4.7 | Version 4.8 |
---|---|---|
弱点 | 926 | 927 |
分类 | 351 | 352 |
视图 | 47 | 48 |
废弃 | 62 | 62 |
汇总 | 1386 | 1389 |
- It can be seen from the summary table:
- 新增1个弱点:
Weakness-Base CWE-1386:Windows 连接点/Unsafe operation on mount point(Insecure Operation on Windows Junction / Mount Point); - 新增1个分类:
CWE CATEGORY: CWE-1388:Physical access issues(Physical Access Issues and Concerns) - 新增1个视图:
View CWE-1387:CWE Top 25 (2022)(Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses).
- 新增1个弱点:
下面我们来的看下具体弱点的变动.
1.1. CWE-1386:Windows 连接点/Unsafe operation on mount point
This is a new additionWindows的问题,具体位置如下图:
This new weakness is divided in CWE-664(Inappropriate control of resources during their lifecycle)下CWE-706(Using an incorrect resolved name or index), 以及CWE-59(Inappropriate link resolution before file access(Link to follow))The next sub-weakness.
在 Windows 中,NTFS5 Allows the file system to generate reparse points for objects(reparse points).
- 连接点: Applications can create hard links from one directory to another,称为连接点.
- 挂载点: Create a mapping from directories to drive letters,称为挂载点.
WindowsA file or directory can contain a reparse point,It is a collection of user-defined data.The programs that store them and the system filters that parse the data files recognize the format of the data. When an application sets a reparse point,It will add a unique reparse tag to identify the stored data when it saves the data.When a filesystem opens a file with a reparse point,First try to find the file system filter associated with the file format identified by the reparse point,If filesystem filter is found,The filter processes the file indicated by the reparse point data.If no filter is found,Then the operation to open the file fails.
CWE-1386是由于windowsWhen opening a file or directory,If the file or directory is associated with a junction or mount point outside the control of the target,could allow an attacker to make the software read、写入、Delete or otherwise operate on unauthorized files.
If a file is used by a privileged program,It can be replaced by a hard link to a sensitive file(例如,AUTOEXEC.BAT),The attacker can then escalate privileges.When a process opens a file,An attacker can impersonate the privileges of the process,Trick privileged processes into reading、Modify or delete sensitive files,Prevent programs from processing data accurately,Operations can also point to registries and semaphores.
例如:CVE-2021-26426,Privileged services allow attackers to use directory joins to delete unauthorized files,resulting in SYSTEM The identity executes arbitrary code.
1.2. CWE-1388:Physical access issues
This is a new hardware classification in hardware design,具体如下图.
老样子,Hardware issues are not my forte,Don't read too much.
2. CWE-1387:CWE Top 25 (2022)
距离2021年的《CWE发布2021年最危险的25种软件缺陷》Almost exactly a year.岁月如梭,光阴似箭,好快!Another year of lotus blossoms.
- 今年的排行榜
排行 | CWE | 得分 | KEV Count (CVEs) | 变动 |
---|---|---|---|---|
1 | CWE-787:Cross-boundary memory write | 64.2 | 62 | 0 |
2 | CWE-79:在WebInappropriate escaping of input during page generation(跨站脚本) | 45.97 | 2 | 0 |
3 | CWE-89:SQL命令中使用的特殊元素转义处理不恰当(SQL注入) | 22.11 | 7 | ![]() |
4 | CWE-20:Inappropriate input validation | 20.63 | 20 | 0 |
5 | CWE-125:Cross-boundary memory read | 17.67 | 1 | ![]() |
6 | CWE-78:OS命令中使用的特殊元素转义处理不恰当(OS命令注入) | 17.53 | 32 | ![]() |
7 | CWE-416:释放后使用 | 15.5 | 28 | 0 |
8 | CWE-22:Inappropriate restrictions on pathnames(路径遍历) | 14.08 | 19 | 0 |
9 | CWE-352:跨站请求伪造(CSRF) | 11.53 | 1 | 0 |
10 | CWE-434:Unrestricted upload of dangerous types of files | 9.56 | 6 | 0 |
11 | CWE-476:空指针解引用 | 7.15 | 0 | ![]() |
12 | CWE-502:不可信数据的反序列化 | 6.68 | 7 | ![]() |
13 | CWE-190:Integer overflow or out-of-bounds wraparound | 6.53 | 2 | ![]() |
14 | CWE-287:The authentication mechanism is inappropriate | 6.35 | 4 | 0 |
15 | CWE-798:Use hardcoded credentials | 5.66 | 0 | ![]() |
16 | CWE-862:授权机制缺失 | 5.53 | 1 | ![]() |
17 | CWE-77:在命令中使用的特殊元素转义处理不恰当(命令注入) | 5.42 | 5 | ![]() |
18 | CWE-306:关键功能的认证机制缺失 | 5.15 | 6 | ![]() |
19 | CWE-119:内存缓冲区边界内操作的限制不恰当 | 4.85 | 6 | ![]() |
20 | CWE-276:The default permissions are incorrect | 4.84 | 0 | ![]() |
21 | CWE-918:服务端请求伪造(SSRF) | 4.27 | 8 | ![]() |
22 | CWE-362:Improper synchronization of concurrent executions using shared resources(竞争条件) | 3.57 | 6 | ![]() |
23 | CWE-400:未加控制的资源消耗(资源耗尽) | 3.56 | 2 | ![]() |
24 | CWE-611:XMLInappropriate restrictions on external entity references(XXE) | 3.38 | 0 | ![]() |
25 | CWE-94:对生成代码的控制不恰当(代码注入) | 3.32 | 4 | ![]() |
This ranking isCWE的团队,According to the National Institute of Standards and Technology (National Institute of Standards and Technology(NIST))的 国家漏洞库(National Vulnerability Database(NVD)) 记录的披露漏洞(Common Vulnerabilities and Exposures(CVE)), and the Cybersecurity and Infrastructure Security Agency (Cybersecurity and Infrastructure Security Agency(CISA))的Directory of known disclosed vulnerabilities(Known Exploited Vulnerabilities (KEV)), 通过通用缺陷评分系统(Common Vulnerability Scoring System (CVSS))Score each defect.Ranked statistics2020 到 2021年的37,899 个CVE,And through a formula for the incidence and severity of the problem,Finally get the rank of the question.具体算法可参考《话说CWE 4.2的新视图》.
2.1. Ranking changes
The specific changes are as follows:
The fastest rising list:
- CWE-362:Improper synchronization of concurrent executions using shared resources(竞争条件): 从 33 上升到 22;
- CWE-94:对生成代码的控制不恰当(代码注入): 从 28 上升到 25;
- CWE-400:未加控制的资源消耗(资源穷尽): 从 27 上升到 23;
- CWE-77:在命令中使用的特殊元素转义处理不恰当(命令注入)): 从25 上升到 17;
- CWE-476:空指针解引用: 从 15 上升到 11.
The fastest declining list:
- CWE-306:关键功能的认证机制缺失: 从 11 下降到 18;
- CWE-200:信息泄露: 从 20 下降到 33;
- CWE-522:Inadequate credential protection mechanisms: 从 21 下降到 38;
- CWE-732:Incorrect permission grant for critical resources: 从 22 下降到 30.
新进前25的有:
- CWE-362:Improper synchronization of concurrent executions using shared resources(竞争条件): 从 33 上升到 22;
- CWE-94:对生成代码的控制不恰当(代码注入): 从 28 上升到 25;
- CWE-400:未加控制的资源消耗(资源穷尽): 从 27 上升到 23;
跌出前25的有:
- CWE-200:信息泄露: 从 20 下降到 33;
- CWE-522:Inadequate credential protection mechanisms: 从 21 下降到 38;
- CWE-732:Incorrect permission grant for critical resources: 从 22 下降到 30.
2.2. TOP 25score details
排名 | CWE | NVD计数 | Avg CVSS | 总分 |
---|---|---|---|---|
1 | CWE-787:Cross-boundary memory write | 4123 | 7.93 | 64.2 |
2 | CWE-79:在WebInappropriate escaping of input during page generation(跨站脚本) | 4740 | 5.73 | 45.97 |
3 | CWE-89:SQL命令中使用的特殊元素转义处理不恰当(SQL注入) | 1263 | 8.66 | 22.11 |
4 | CWE-20:Inappropriate input validation | 1520 | 7.19 | 20.63 |
5 | CWE-125:Cross-boundary memory read | 1489 | 6.54 | 17.67 |
6 | CWE-78:OS命令中使用的特殊元素转义处理不恰当(OS命令注入) | 999 | 8.67 | 17.53 |
7 | CWE-416:释放后使用 | 1021 | 7.79 | 15.5 |
8 | CWE-22:Inappropriate restrictions on pathnames(路径遍历) | 1010 | 7.32 | 14.08 |
9 | CWE-352:跨站请求伪造(CSRF) | 847 | 7.2 | 11.53 |
10 | CWE-434:Unrestricted upload of dangerous types of files | 551 | 8.61 | 9.56 |
11 | CWE-476:空指针解引用 | 611 | 6.49 | 7.15 |
12 | CWE-502:不可信数据的反序列化 | 378 | 8.73 | 6.68 |
13 | CWE-190:Integer overflow or out-of-bounds wraparound | 452 | 7.52 | 6.53 |
14 | CWE-287:The authentication mechanism is inappropriate | 412 | 7.88 | 6.35 |
15 | CWE-798:Use hardcoded credentials | 333 | 8.48 | 5.66 |
16 | CWE-862:授权机制缺失 | 468 | 6.53 | 5.53 |
17 | CWE-77:在命令中使用的特殊元素转义处理不恰当(命令注入) | 325 | 8.36 | 5.42 |
18 | CWE-306:关键功能的认证机制缺失 | 328 | 8 | 5.15 |
19 | CWE-119:内存缓冲区边界内操作的限制不恰当 | 323 | 7.73 | 4.85 |
20 | CWE-276:The default permissions are incorrect | 368 | 7.04 | 4.84 |
21 | CWE-918:服务端请求伪造(SSRF) | 317 | 7.16 | 4.27 |
22 | CWE-362:Improper synchronization of concurrent executions using shared resources(竞争条件) | 301 | 6.56 | 3.57 |
23 | CWE-400:未加控制的资源消耗(资源耗尽) | 277 | 6.93 | 3.56 |
24 | CWE-611:XMLInappropriate restrictions on external entity references(XXE) | 232 | 7.58 | 3.38 |
25 | CWE-94:对生成代码的控制不恰当(代码注入) | 192 | 8.6 | 3.32 |
2.3. Ranking improvements
In order to better let people understand the characteristics of each defect,on the defect mapping,Try to map to more fine-grained defect enumeration types,比如base、Variant、Compound,This helps to solve the problem from a more fine-grained level.所以TOP 25中的CWEThe type is gradually moving away from the pillars(pillar)、类(Class) Enumerate types to finer strength defectsbase、Variant、Compoundover.
比如:
- Class/Pillar 从2020年的36%,降到现在的28%;
- Class 从2019年的43%,降到现在的16%;
- Base/Var/Comp 从2019年的 57%上升到84%.
Year | 2019 | % | 2020 | % | 2021 | % | 2022 | % |
---|---|---|---|---|---|---|---|---|
Unique Class/Pillar CWEs | 7 | 28% | 9 | 36% | 8 | 32% | 7 | 28% |
Unique Base/Variant/Compound CWEs | 18 | 72% | 16 | 64% | 17 | 68% | 18 | 72% |
Mappings to Class | 9548 | 43% | 6450 | 30% | 3058 | 17% | 3626 | 16% |
Mappings to Base/Var/Comp | 12411 | 57% | 14772 | 70% | 14839 | 83% | 19254 | 84% |
Total Maps with Top 25 CWEs | 21959 | 0% | 21222 | 0% | 17897 | 0% | 22880 | 0% |
Maps to All CWEs | 26341 | 0% | 27168 | 0% | 24282 | 0% | 30681 | 0% |
Maps to Bases | 10919 | 50% | 12988 | 61% | 13291 | 74% | 17386 | 76% |
Maps to Variants | 799 | 4% | 918 | 4% | 807 | 5% | 1021 | 4% |
Maps to Compounds | 693 | 3% | 866 | 4% | 741 | 4% | 847 | 4% |
- 注:CWESee the enumeration type for details:《话说CWE 4.2的新视图》.
3. 结论
- 缓冲区溢出
- Problems caused by external input and
4. 参考
边栏推荐
- 文件包含漏洞
- Distributed id solution
- Redis学习笔记-3.慢查询和其他高级数据结构
- IDEA configure method annotation automatic parameters
- 分布式id解决方案
- Yarn安装配置(vsftpd安装配置)
- 3.网页信息解析方法:Xpath与BeautifulSoup
- MySQL 的 limit 分页查询及性能问题
- Life is endless, there are more questions, simple questions to learn knowledge points
- 一文带你了解redux的工作流程——actionreducerstore
猜你喜欢
基于C51实现按键控制
Distributed id solution
5 个开源的 Rust Web 开发框架,你选择哪个?
【软件工程之美 - 专栏笔记】33 | 测试工具:为什么不应该通过QQ/微信/邮件报Bug?
ApiPost is really fragrant and powerful, it's time to throw away Postman and Swagger
初始JDBC 编程
一文吃透接口调用神器RestTemplate
Candence学习篇(11) allegro中设置规则,布局,走线,铺铜
PyQt5快速开发与实战 9.5 PyQtGraph在PyQt中的应用 && 9.6 Plotly在PyQt中的应用
Docker build Mysql master-slave replication
随机推荐
mysql根据多字段分组——group by带两个或多个参数
SQLServer2019 installation (Windows)
瑞吉外卖项目:新增菜品与菜品分页查询
Distributed Transactions - Introduction to Distributed Transactions, Distributed Transaction Framework Seata (AT Mode, Tcc Mode, Tcc Vs AT), Distributed Transactions - MQ
Android studio连接MySQL并完成简单的登录注册功能
CoCube群机器人预览→资讯剧透←
Summary of several defragmentation schemes for MySQL (to solve the problem of not releasing space after deleting a large amount of data)
502 bad gateway causes and solutions
cesium-Web网页优化进阶
AWS Amazon cloud account registration, free application for 12 months Amazon cloud server detailed tutorial
Experience innovation and iteration through the development of lucky draw mini-programs
Read through the interface to call the artifact RestTemplate
分布式事务——分布式事务简介、分布式事务框架 Seata(AT模式、Tcc模式、Tcc Vs AT)、分布式事务—MQ
apisix-入门使用篇
便利贴--46{基于移动端长页中分页加载逻辑封装}
Power BI----几个常用的分析方法和相适应的视觉对象
Android studio connects to MySQL and completes simple login and registration functions
R语言:文本(字符串)处理与正则表达式
Service discovery of kubernetes
Cloudera Manager —— 端到端的企业数据中心管理工具