Memory-related bugs are still the most dangerous software vulnerabilities, MITRE concludes. The annual top 25 also shows that in the year 2023, we must increasingly watch out for bugs relating to authentication and authorization steps.
The top three remain unchanged in MITRE’s CWE Top 25 Most Dangerous Software Weaknesses. For example, out-of-bounds write, a form of memory corruption, is still No. 1. In such an instance, a product writes data beyond the intended buffer, which means multiple problems can arise. The most obvious is that a crash occurs because the software wants to write more sequences than an id array in C++ allows, for example. This can be exploited by crashing the program in question or initiating remote execution, which paves the way for all sorts of malicious actions.
Authorization and authentication miss or go awry
Despite the stability in the top three, MITRE sees a laundry list of vulnerabilities related to access management on the rise. For example, they’ve spotted increases in the top 25 for “Missing Authorization” (from spot 16 to 11), “Improper Authentication” (from 14 to 13), “Improper Privilege Management” (29 to 22) and “Incorrect Authorization” (28 to 24).
All of this, along with the other threats in this area, points to a general deficiency in access management. As many organizations as possible should strive for zero-trust principles, where users are granted only the necessary access. However, that often involves access to software, not necessarily access levels within the software. MITRE’s list shows that software vendors have much to gain in this respect. For example, the biggest climber (Improper Privilege Management) shows that the product in question does not handle a user’s privileges in the desired way, which can cause even the best intentions to fall apart as implementation goes awry.