| |
mark :: blog :: cwe
The 2010 CWE/SANS Top 25 Most Dangerous
Programming Errors was published today listing the most widespread issues
that lead to software vulnerabilities.
During the creation and review of the list we spent some time to see how
closely last years list matched the types of flaws we deal with at Red Hat. We
first looked at all the issues that Red Hat fixed across our entire product
portfolio in the 2009 calendar year and filtered out those that had the highest
severity. All our 2009 vulnerabilities have CVSS scores, so we filtered on
those that have a CVSS base score of 7.0 or above[1].
There were 22 vulnerabilities that matched, and we mapped each one to the
most appropriate CWE. This gives us 11 flaw types which led
to the most severe flaws affecting Red Hat in 2009:
| CWE | CWE Description | CWE/SANS
top 25? | Number of
Vulnerabilities |
|---|
| CWE-476 | NULL
Pointer Dereference | No (on cusp) | 6 |
| CWE-120 | Buffer
Copy without Checking Size of Input | Yes | 3 |
| CWE-129 | Improper
Validation of Array Index
| Yes | 3 |
| CWE-131 | Incorrect
Calculation of Buffer Size
| Yes | 3 |
| CWE-78 | OS
Command Injection | Yes | 1 |
| CWE-285 | Improper
Access Control (Authorization) | Yes | 1 |
| CWE-362 | Race
Condition | Yes | 1 |
| CWE-330 |
Use of Insufficiently Random Values
| No (on cusp) | 1 |
| CWE-590 | Free
of Memory not on the Heap | No | 1 |
| CWE-672 | Use
of a Resource after Expiration or Release | No (on cusp) | 1 |
| CWE-772 | Missing
Release of Resource after Effective Lifetime | No (on cusp) | 1 |
10 of the 11 CWE are mentioned in the 2010 CWE/SANS document, although 4 of them
are on "the cusp" and didn't make it into the top 25.
This quick review shows us that 2009 was the year of the kernel NULL pointer
dereference flaw, as they could allow local untrusted users to gain privileges, and
several public exploits to do just that were released. For Red Hat,
interactions with SELinux prevented them being able to be easily mitigated,
until the end of the year when
we provided updates.
Now, in 2010, the upstream Linux kernel and many vendors ship with
protections to prevent kernel NULL pointers leading to privilege escalation.
So although 2009 was the year where CWE-476 mattered to Linux administrators, it
didn't make the SANS/CWE top 25 as this flaw type should not lead to
severe issues (as long as the protections remain sufficient).
Here is a breakdown with the complete data set to show the CVSS scores and
packages affected:
| CVE | CWE | top 25? | CVSS
base | Fixed in |
|---|
| CVE-2008-5182 |
CWE-362 | Yes |
7.2 | Red Hat Enterprise Linux 5 (kernel) |
| CVE-2009-0065 |
CWE-129 | Yes |
8.3 | Red Hat Enterprise Linux 4,5,MRG (kernel) |
| CVE-2009-0692 |
CWE-120 | Yes |
8.3 | Red Hat Enterprise Linux 3,4 (dhcp) |
| CVE-2009-0778 |
CWE-772 | No
(on cusp) |
7.1 | Red Hat Enterprise Linux 5 (kernel) |
| CVE-2009-0846 |
CWE-590 | No |
9.3 | Red Hat Enterprise Linux 2.1, 3 (krb5) [2] |
| CVE-2009-1185 |
CWE-131 | Yes |
7.2 | Red Hat Enterprise Linux 5 (udev) |
| CVE-2009-1385 |
CWE-129 | Yes |
7.1 | Red Hat Enterprise Linux 3,4,5,MRG (kernel) |
| CVE-2009-1439 |
CWE-131 | Yes |
7.1 | Red Hat Enterprise Linux 4,5,MRG (kernel) |
| CVE-2009-1579 |
CWE-78 | Yes |
7.5 | Red Hat Enterprise Linux 3,4,5 (squirrelmail) |
| CVE-2009-1633 |
CWE-131 | Yes |
7.1 | Red Hat Enterprise Linux 4,5,MRG (kernel) |
| CVE-2009-2406 |
CWE-120 | Yes |
7.2 | Red Hat Enterprise Linux 5 (kernel) |
| CVE-2009-2407 |
CWE-120 | Yes |
7.2 | Red Hat Enterprise Linux 5 (kernel) |
| CVE-2009-2692 |
CWE-476 | No
(on cusp) |
7.2 | Red Hat Enterprise Linux 3,4,5,MRG (kernel) |
| CVE-2009-2694 |
CWE-129 | Yes |
7.5 | Red Hat Enterprise Linux 3,4,5 (pidgin) |
| CVE-2009-2698 |
CWE-476 | No
(on cusp) |
7.2 | Red Hat Enterprise Linux 3,4,5 (kernel) |
| CVE-2009-2848 |
CWE-672 | No
(on cusp) |
7.2 | Red Hat Enterprise Linux 3,4,5,MRG (kernel) |
| CVE-2009-2908 |
CWE-476 | No
(on cusp) |
7.2 | Red Hat Enterprise Linux 5 (kernel) |
| CVE-2009-3238 |
CWE-330 | No
(on cusp) |
7.8 | Red Hat Enterprise Linux 4,5,MRG (kernel) |
| CVE-2009-3290 |
CWE-285 | Yes |
7.2 | Red Hat Enterprise Linux 5 (kvm) |
| CVE-2009-3547 |
CWE-476 | No
(on cusp) |
7.2 | Red Hat Enterprise Linux 3,4,5,MRG (kernel) |
| CVE-2009-3620 |
CWE-476 | No
(on cusp) |
7.2 | Red Hat Enterprise Linux 4,5,MRG (kernel) |
| CVE-2009-3726 |
CWE-476 | No
(on cusp) |
7.2 | Red Hat Enterprise Linux 5,MRG (kernel) |
[1] NIST NVD rate vulnerabilities as "High" severity if they have a CVSS base
score of 7.0-10.0. This ends up excluding flaws in web browsers such as Firefox
which can have a maximum CVSS base score of 6.8.
[2] Red Hat Enterprise Linux 4 and 5 were also affected by this vulnerability,
but with a lower CVSS base score of 4.3, due to the extra runtime pointer
checking.
|
|
|
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.
pics from my twitter:
popular tags:
[all],
apache,
apachecon,
apacheweek,
bryce,
cve,
fedora,
financial,
geocaching,
gps,
ha,
metrics,
microsoft,
nashville,
north carolina,
red hat summit,
security,
trips
|
|
