CVE 和 CWE
了解过信息安全的同学应该对 CVE 有印象,CVE 是通用漏洞披露 Common Vulnerabilities and Exposures 的是缩写,主要为了记录和共享各种计算机系统的安全漏洞,以方便其他用到同样系统的人了解其风险并修复。每个 CVE 都有一个 CVE 编号,比如 2017 年最让人头疼的 Windows 勒索软件就关联到了 CVE-2017-0143 和 CVE-201-0148 两条数据。对于信息安全人员和开发者,关注 CVE 是一种比较有时效性的学习方式,能够帮助我们了解最新的系统风险,避开有风险的底层技术。
CWE 与 CVE 不同,CWE 的全名是通用缺陷列表 Common Weakness Enumeration,CWE 提炼了众多信息安全事件中长常发生漏洞的点,进行分类归纳,供开发者避免在编程中再次出现。举几个 CWE 的例子,CWE-798 Use of Hard-coded Credentials (在代码中硬编码密码留下后门),CWE-476 NULL Pointer Dereference (空指针解引用)。这些条目对与代码审计有着非常好的参考价值,在开发静态检查工具的时候可以对照其中的条目进行开发。
CWE 评选的 2020 年最危险的软件缺陷
2020年8月,CWE 官网发布了 2020 年最危险的软件缺陷的 Top 25。其数据来源为美国政府主导简历的 NVD (National Vulnerbility Database),NVD 的缺陷数据来自 CVE 并且补充了其对应到 CWE 的缺陷类型,以及用来衡量缺陷带来的问题严重性的 CVSS 评分;数据取样时只提取了 2018/ 2019 年的数据,一共有 27,000 条对应的 CVE。讲 2700 条 CVE 数据对应到更少的 CVW 中。然后综合考量严重性(CVSS)和产生的频率得到最终的评分(表格中的score),具体的评分计算细节请访问其官网查看。 统计结果如下表。
Rank | ID | Name | Score |
---|---|---|---|
[1] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 46.82 |
[2] | CWE-787 | Out-of-bounds Write | 46.17 |
[3] | CWE-20 | Improper Input Validation | 33.47 |
[4] | CWE-125 | Out-of-bounds Read | 26.50 |
[5] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 23.73 |
[6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 20.69 |
[7] | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 19.16 |
[8] | CWE-416 | Use After Free | 18.87 |
[9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 17.29 |
[10] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 16.44 |
[11] | CWE-190 | Integer Overflow or Wraparound | 15.81 |
[12] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 13.67 |
[13] | CWE-476 | NULL Pointer Dereference | 8.35 |
[14] | CWE-287 | Improper Authentication | 8.17 |
[15] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 7.38 |
[16] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6.95 |
[17] | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 6.53 |
[18] | CWE-522 | Insufficiently Protected Credentials | 5.49 |
[19] | CWE-611 | Improper Restriction of XML External Entity Reference | 5.33 |
[20] | CWE-798 | Use of Hard-coded Credentials | 5.19 |
[21] | CWE-502 | Deserialization of Untrusted Data | 4.93 |
[22] | CWE-269 | Improper Privilege Management | 4.87 |
[23] | CWE-400 | Uncontrolled Resource Consumption | 4.14 |
[24] | CWE-306 | Missing Authentication for Critical Function | 3.85 |
[25] | CWE-862 | Missing Authorization | 3.77 |
Reference
https://www.redhat.com/zh/topics/security/what-is-cve
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148
https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html