Blog entry by Les Bell

Les Bell
by Les Bell - Friday, 30 June 2023, 10:46 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


MITRE Updates Top 25 Most Dangerous Software Vulnerabilities

The Homeland Security Systems Engineering and Development Institute, which is operated for the DHS by MITRE, has released its 2023 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. This is calculated by analyzing the last two years' public vulnerability data in the National Vulnerability Data (NVD) - that's 43,996 CVE records - for root cause mappings to CWE weaknesses. The 2023 CWE Top 25 also incorporates updated data for recent CVE records in the database that underlies CISA Known Exploited Vulnerabilities Catalog (KEV).

The top 25 are:

  1. Out-of-bounds Write CWE-787
  2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79
  3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-89
  4. Use After Free CWE-416
  5. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-78
  6. Improper Input Validation CWE-20
  7. Out-of-bounds Read CWE-125
  8. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-22
  9. Cross-Site Request Forgery (CSRF) CWE-352
  10. Unrestricted Upload of File with Dangerous Type CWE-434
  11. Missing Authorization CWE-862
  12. NULL Pointer Dereference CWE-476
  13. Improper Authentication CWE-287
  14. Integer Overflow or Wraparound CWE-190
  15. Deserialization of Untrusted Data CWE-502
  16. Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-77
  17. Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119
  18. Use of Hard-coded Credentials CWE-798
  19. Server-Side Request Forgery (SSRF) CWE-918
  20. Missing Authentication for Critical Function CWE-306
  21. Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-362
  22. Improper Privilege Management CWE-269
  23. Improper Control of Generation of Code ('Code Injection') CWE-94
  24. Incorrect Authorization CWE-863
  25. Incorrect Default Permissions CWE-276

There are a couple of new entrants in the list: 22. Improper Privilege Management shot up from 29th position last year, while 24. Incorrect Authorization moved from #28. Also rocketing up the charts were 4. Use After Free (last year's #7, but known to account for around half the bugs in the Chrome browser) and 11. Missing Authorization, which rose from the #16 position.

Looking at the list, it's not exactly comforting to see old favourites are still with us after many, many years - including, in top position, Out-of-bounds Write, a.k.a. the Buffer Overflow and its various close relatives, which has been with us since at least the 1960's, if not before. Perhaps the adoption of memory-safe languages like Rust into development, including in the kernels of both Linux and Windows, will see this wizened old character handed a gold watch and pensioned off into retirement.

Likewise, the appearance of XSS and SQL Injection just below this (and Command Injection just a little lower) is more than a bit disturbing. Clearly, we need to do a better job of educating programmers, rather than checking them for a pulse and then turning them loose to copy-and-paste code fragments from StackOverflow. We should also be using static analysis a lot more - many of the entries in the Top 25 can easily be caught this way.

The CWE Top 25 Most Dangerous Software Weaknesses can be found at https://cwe.mitre.org/top25/. Essential reading for most developers (along with the various OWASP Top 10's), I'd say - and could be the basis of some profitable management discussions as well as some 'lunch-and-learn' sessions.

CISA, 2023 CWE Top 25 Most Dangerous Software Weaknesses, news alert, 29 June 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/06/29/2023-cwe-top-25-most-dangerous-software-weaknesses.

All Is Not Well in CISSP-Land

Disturbing developments continue at the International Information Systems Security Certification Consortium (ISC)2 - the gatekeeper of the 'gold standard' certification for security pro's, the CISSP. Last year's board election saw over 80 candidates nominated to take part in the election - but a behind-closed-doors, undocumented 'selection process' run by the then-current board resulted in only six candates being put on the election slate to fill the six open positions. The result was an election in name only - it really didn't matter how the membership voted. And the bar for write-in candidates - of whom there were several - made it impossible for any of them to get the necessary votes for election.

A little later, the board proposed a number of changes to the Bylaws that would have further consolidated its powers and stifled the voices of the members. Unsurprisingly, these were voted down by the members, with veteran member Stephen Mencik working tirelessly to point out the problems and, eventually, proposing an alternative set of of amendments that seemed, to those members discussing them, to be a much better way forward.

Unsurprisingly, the board reacted very negatively to this, accusing Stephen of violating an NDA (he hadn't, as best we can determine) and making various other threats. Early this month, the board conducted a webinar - at an ungodly hour, as far as most of a global membership are concerned - to explain their response and their proposed way forward with a new vote on the Bylaws amendments.

I strongly urge all current CISSP's to read Stephen's blog commentary on this webinar, at https://smencik1.wordpress.com/2023/06/06/upcoming-by-laws-vote-info-and-recommendation/. There are several problems with their proposed voting process - not least of them that the member petition called for a vote on each of the proposed amendments individually, while the Bylaws Committee has set up a procedure whereby members must vote for either the petition's alternative bylaw amendments as a block, the board's proposals as a block, or neither of these.

In any case, voting opened on June 20th.

And closed a few hours later.

Members received an email which read, in part:

A vulnerability has been identified in our bylaws voting platform. We hold the integrity of our member voting paramount and have suspended voting until a secure environment is restored. No data were compromised.

We will provide updates when available. All members will have an opportunity to vote prior to the August 1, 2023, Special Meeting. To ensure the integrity of the results, all members will be asked to resubmit their vote.

Since then: silence. One has to wonder about a vulnerability in the voting platform of the organization that operates the self-proclaimed 'gold standard' in infosec.

Stephen has blogged about this also, at https://smencik1.wordpress.com/2023/06/26/by-laws-voting/, and I would urge reading it, as well as other entries at https://smencik1.wordpress.com/.

I cannot say I am entirely surprised at this snafu - your humble scribe has been encountering his own difficulties with the (ISC)2 web site. The end of June marks the time to pay my Annual Maintenance Fees (AMF) in order to continue to be a member in good standing (and thereby, of course, vote in Great Bylaws Controversy of 2022/23). So, earlier this week, I dutifully logged in to the site, entered my credit card details and submitted payment. In response, I was greeted with a payment confirmation page that had blank fields for payment date, receipt number, order summary, payment amount and balance. The promised emailed receipt did not turn up, either.

So I contacted their customer service, a.k.a. member support, to be told that no, payment had not gone through. So, late the following day, after checking my credit card history and seeing no transaction, I tried again - with the same result, a blank confirmation and no receipt.

The next morning - and I wish I could say I was surprised - the credit card account showed a transaction for the first (apparently unsuccessful) payment attempt. I advised member support only to be told that, no, the transaction had not gone through.

"Yet", I replied. "The operative word here is 'yet'" - with no response from member support. And sure enough, the second payment attempt was also successful, with the transaction turning up in my credit card account this morning. I wouldn't be surprised if a third turns up tomorrow.

But still, the "member dashboard" at (ISC)2 shows my AMF as still outstanding, on this last day of my membership year, despite my now having paid it twice.

I cannot but laugh at the declaration at the bottom of the broken (ISC)2 payment confirmation page:

"(ISC)² has been issued an attestation of compliance from a qualified security assessor (QSA) from the Payment Card Industry (PCI). Our payment operations are validated to follow best practices to increase controls around cardholder data to reduce credit card fraud."

I've been told by another CISSP that his AMF payment was initially blocked by his own bank as they saw (ISC)2's payment processing as too risky. I've now raised a dispute with my own bank for the duplicate payment; I imagine that won't do much for their reputation either.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
[ Modified: Friday, 30 June 2023, 10:47 AM ]