1. CWE 4.8的变化

2022It's been half a year,继《CWE 4.7中的新视图 – 工业控制系统的安全漏洞类别》 Not yet released2个月, 6Another version will be released at the end of the month – CWE4.8.As an important standard for software security research,我们来看下这个版本有那些变化.

• It can be seen from the summary table：
  • 新增1个弱点：
    Weakness-Base CWE-1386:Windows 连接点/Unsafe operation on mount point(Insecure Operation on Windows Junction / Mount Point);
  • 新增1个分类：
    CWE CATEGORY: CWE-1388:Physical access issues(Physical Access Issues and Concerns)
  • 新增1个视图：
    View CWE-1387:CWE Top 25 (2022)(Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses).

下面我们来的看下具体弱点的变动.

1.1. CWE-1386:Windows 连接点/Unsafe operation on mount point

This is a new additionWindows的问题,具体位置如下图：

This new weakness is divided in CWE-664(Inappropriate control of resources during their lifecycle)下CWE-706(Using an incorrect resolved name or index), 以及CWE-59（Inappropriate link resolution before file access(Link to follow))The next sub-weakness.

在 Windows 中,NTFS5 Allows the file system to generate reparse points for objects（reparse points）.

• 连接点： Applications can create hard links from one directory to another,称为连接点.
• 挂载点： Create a mapping from directories to drive letters,称为挂载点.

WindowsA file or directory can contain a reparse point,It is a collection of user-defined data.The programs that store them and the system filters that parse the data files recognize the format of the data. When an application sets a reparse point,It will add a unique reparse tag to identify the stored data when it saves the data.When a filesystem opens a file with a reparse point,First try to find the file system filter associated with the file format identified by the reparse point,If filesystem filter is found,The filter processes the file indicated by the reparse point data.If no filter is found,Then the operation to open the file fails.

CWE-1386是由于windowsWhen opening a file or directory,If the file or directory is associated with a junction or mount point outside the control of the target,could allow an attacker to make the software read、写入、Delete or otherwise operate on unauthorized files.

If a file is used by a privileged program,It can be replaced by a hard link to a sensitive file（例如,AUTOEXEC.BAT）,The attacker can then escalate privileges.When a process opens a file,An attacker can impersonate the privileges of the process,Trick privileged processes into reading、Modify or delete sensitive files,Prevent programs from processing data accurately,Operations can also point to registries and semaphores.

例如：CVE-2021-26426,Privileged services allow attackers to use directory joins to delete unauthorized files,resulting in SYSTEM The identity executes arbitrary code.

1.2. CWE-1388:Physical access issues

This is a new hardware classification in hardware design,具体如下图.

老样子,Hardware issues are not my forte,Don't read too much.

2. CWE-1387:CWE Top 25 (2022)

距离2021年的《CWE发布2021年最危险的25种软件缺陷》Almost exactly a year.岁月如梭,光阴似箭,好快！Another year of lotus blossoms.

• 今年的排行榜

排行	CWE	得分	KEV Count (CVEs)	变动
1	CWE-787:Cross-boundary memory write	64.2	62	0
2	CWE-79:在WebInappropriate escaping of input during page generation(跨站脚本)	45.97	2	0
3	CWE-89:SQL命令中使用的特殊元素转义处理不恰当(SQL注入)	22.11	7	+3
4	CWE-20:Inappropriate input validation	20.63	20	0
5	CWE-125:Cross-boundary memory read	17.67	1	-2
6	CWE-78:OS命令中使用的特殊元素转义处理不恰当(OS命令注入)	17.53	32	-1
7	CWE-416:释放后使用	15.5	28	0
8	CWE-22:Inappropriate restrictions on pathnames(路径遍历)	14.08	19	0
9	CWE-352:跨站请求伪造(CSRF)	11.53	1	0
10	CWE-434:Unrestricted upload of dangerous types of files	9.56	6	0
11	CWE-476:空指针解引用	7.15	0	+4
12	CWE-502:不可信数据的反序列化	6.68	7	+1
13	CWE-190:Integer overflow or out-of-bounds wraparound	6.53	2	-1
14	CWE-287:The authentication mechanism is inappropriate	6.35	4	0
15	CWE-798:Use hardcoded credentials	5.66	0	+1
16	CWE-862:授权机制缺失	5.53	1	+2
17	CWE-77:在命令中使用的特殊元素转义处理不恰当(命令注入)	5.42	5	+8
18	CWE-306:关键功能的认证机制缺失	5.15	6	-7
19	CWE-119:内存缓冲区边界内操作的限制不恰当	4.85	6	-2
20	CWE-276:The default permissions are incorrect	4.84	0	-1
21	CWE-918:服务端请求伪造(SSRF)	4.27	8	+3
22	CWE-362:Improper synchronization of concurrent executions using shared resources(竞争条件)	3.57	6	+11
23	CWE-400:未加控制的资源消耗(资源耗尽)	3.56	2	+4
24	CWE-611:XMLInappropriate restrictions on external entity references(XXE)	3.38	0	-1
25	CWE-94:对生成代码的控制不恰当(代码注入)	3.32	4	+3

This ranking isCWE的团队,According to the National Institute of Standards and Technology (National Institute of Standards and Technology(NIST))的 国家漏洞库(National Vulnerability Database(NVD)) 记录的披露漏洞(Common Vulnerabilities and Exposures(CVE)), and the Cybersecurity and Infrastructure Security Agency (Cybersecurity and Infrastructure Security Agency(CISA))的Directory of known disclosed vulnerabilities(Known Exploited Vulnerabilities (KEV)), 通过通用缺陷评分系统(Common Vulnerability Scoring System (CVSS))Score each defect.Ranked statistics2020 到 2021年的37,899 个CVE,And through a formula for the incidence and severity of the problem,Finally get the rank of the question.具体算法可参考《话说CWE 4.2的新视图》.

2.1. Ranking changes

• The specific changes are as follows：
  

• The fastest rising list:

  • CWE-362：Improper synchronization of concurrent executions using shared resources(竞争条件): 从 33 上升到 22;
  • CWE-94：对生成代码的控制不恰当(代码注入): 从 28 上升到 25;
  • CWE-400：未加控制的资源消耗(资源穷尽): 从 27 上升到 23;
  • CWE-77:在命令中使用的特殊元素转义处理不恰当(命令注入)): 从25 上升到 17;
  • CWE-476:空指针解引用: 从 15 上升到 11.
    
    

• The fastest declining list:

  • CWE-306:关键功能的认证机制缺失: 从 11 下降到 18;
  • CWE-200:信息泄露: 从 20 下降到 33;
  • CWE-522:Inadequate credential protection mechanisms: 从 21 下降到 38;
  • CWE-732:Incorrect permission grant for critical resources: 从 22 下降到 30.
    
    

• 新进前25的有:

  • CWE-362：Improper synchronization of concurrent executions using shared resources(竞争条件): 从 33 上升到 22;
  • CWE-94：对生成代码的控制不恰当(代码注入): 从 28 上升到 25;
  • CWE-400：未加控制的资源消耗(资源穷尽): 从 27 上升到 23;
    
    

• 跌出前25的有:

  • CWE-200:信息泄露: 从 20 下降到 33;
  • CWE-522:Inadequate credential protection mechanisms: 从 21 下降到 38;
  • CWE-732:Incorrect permission grant for critical resources: 从 22 下降到 30.

2.2. TOP 25score details

2.3. Ranking improvements

In order to better let people understand the characteristics of each defect,on the defect mapping,Try to map to more fine-grained defect enumeration types,比如base、Variant、Compound,This helps to solve the problem from a more fine-grained level.所以TOP 25中的CWEThe type is gradually moving away from the pillars(pillar)、类（Class) Enumerate types to finer strength defectsbase、Variant、Compoundover.

比如：

• Class/Pillar 从2020年的36%,降到现在的28%;
• Class 从2019年的43%,降到现在的16%;
• Base/Var/Comp 从2019年的 57%上升到84%.

• 注：CWESee the enumeration type for details：《话说CWE 4.2的新视图》.

3. 结论

• 缓冲区溢出
• Problems caused by external input and

4. 参考

• Differences between Version 4.7 and Version 4.8
• 2022 CWE Top 25 Most Dangerous Software Weaknesses