mark :: blog :: cwe

[ 1 ]


A few weeks ago the 2011 update to the CWE/SANS Top 25 Most Dangerous Software Errors was published. As part of our contribution to this update we analysed the most severe vulnerabilities that affected Red Hat since the last update and mapped each one to the appropriate Common Weakness Enumeration (CWE) type.

The table below lists all vulnerabilities which have a CVSS score of 7 or more ('high'), that we fixed in any product during calendar year 2010.

Most common CWE were:

CVECWE2011 top 25?CVSS base scoreFixed in
CVE-2007-4567 CWE-476no 7.8 Red Hat Enterprise Linux 5 (kernel)
CVE-2009-0778 CWE-770no 7.1 Red Hat Enterprise Linux 5 (kernel)
CVE-2009-1385 CWE-191no 7.1 Red Hat Enterprise Linux 5 (kernel)
CVE-2009-3080 CWE-129no 7.2 Red Hat Enterprise Linux 3, 4, 5, MRG (kernel)
CVE-2009-3245 CWE-252no 7.6 Red Hat Enterprise Linux 3, 4, 5 (openssl)
CVE-2009-3726 CWE-476no 7.2 Red Hat Enterprise Linux 4, 5, MRG (kernel)
CVE-2009-4005 CWE-127no 7.1 Red Hat Enterprise Linux 4 (kernel)
CVE-2009-4027 CWE-362no 7.8 Red Hat Enterprise Linux 5 (kernel)
CVE-2009-4141 CWE-416no 7.2 Red Hat Enterprise Linux 5, MRG (kernel)
CVE-2009-4212 CWE-191no 10.0 Red Hat Enterprise Linux 3, 4, 5 (krb5)
CVE-2009-4272 CWE-764no 7.8 Red Hat Enterprise Linux 5 (kernel)
CVE-2009-4273 CWE-78yes 7.9 Red Hat Enterprise Linux 5 (systemtap)
CVE-2009-4537 CWE-120yes 7.1 Red Hat Enterprise Linux 4, 5, MRG (kernel)
CVE-2009-4895 CWE-362no 7.2 Red Hat Enterprise MRG (kernel)
CVE-2010-0008 CWE-606no 7.8 Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-0291 CWE-822no 7.2 Red Hat Enterprise Linux 5 (kernel)
CVE-2010-0738 CWE-424no 7.5 JBoss Enterprise Application Platform 4.2, 4.3
CVE-2010-0741 CWE-20no 7.1 Red Hat Enterprise Linux 5 (kvm)
CVE-2010-1084 CWE-120yes 7.2 Red Hat Enterprise Linux 5 (kernel)
CVE-2010-1086 CWE-20no 7.8 Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-1087 CWE-362no 7.2 Red Hat Enterprise Linux 5 (kernel)
CVE-2010-1166 CWE-823no 7.6 Red Hat Enterprise Linux 5 (xorg-x11-server)
CVE-2010-1173 CWE-120 *yes 7.1 Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-1188 CWE-416no 7.8 Red Hat Enterprise Linux 3, 4, 5 (kernel)
CVE-2010-1436 CWE-120yes 7.2 Red Hat Enterprise Linux 5 (kernel)
CVE-2010-1437 CWE-362no 7.2 Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-2063 CWE-823no 7.5 Red Hat Enterprise Linux 3, 4, 5 (samba)
CVE-2010-2235 CWE-77no 7.1 Red Hat Network Satellite Server 5.3 (cobbler)
CVE-2010-2240 CWE-788no 7.2 Red Hat Enterprise Linux 3, 4, 5, MRG (kernel)
CVE-2010-2248 CWE-682no 7.1 Red Hat Enterprise Linux 4, 5 (kernel)
CVE-2010-2492 CWE-805no 7.2 Red Hat Enterprise Linux 5, 6 (kernel)
CVE-2010-2521 CWE-805no 8.3 Red Hat Enterprise Linux 4, 5, MRG (kernel)
CVE-2010-2798 CWE-476no 7.2 Red Hat Enterprise Linux 5 (kernel)
CVE-2010-2962 CWE-823no 7.2 Red Hat Enterprise Linux 6, MRG (kernel)
CVE-2010-3069 CWE-129no 8.3 Red Hat Enterprise Linux 3, 4, 5, 6 (samba)
CVE-2010-3081 CWE-131yes 7.2 Red Hat Enterprise Linux 3, 4, 5, 6, MRG (kernel)
CVE-2010-3084 CWE-120yes 7.2 Red Hat Enterprise Linux 6 (kernel)
CVE-2010-3301 CWE-129no 7.2 Red Hat Enterprise Linux 6 (kernel)
CVE-2010-3302 CWE-120yes 7.1 Red Hat Enterprise Linux 6 (openswan)
CVE-2010-3308 CWE-120yes 7.1 Red Hat Enterprise Linux 6 (openswan)
CVE-2010-3432 CWE-805 *no 7.8 Red Hat Enterprise Linux 4, 5, 6, MRG (kernel)
CVE-2010-3705 CWE-788no 8.3 Red Hat Enterprise Linux 6, MRG (kernel)
CVE-2010-3708 CWE-77no 7.5 JBoss Enterprise Application Platform 4.3, SOA Platform 4.2
CVE-2010-3752 CWE-78yes 7.1 Red Hat Enterprise Linux 6 (openswan)
CVE-2010-3753 CWE-78yes 7.1 Red Hat Enterprise Linux 6 (openswan)
CVE-2010-3847 CWE-426no 7.2 Red Hat Enterprise Linux 5, 6 (glibc)
CVE-2010-3856 CWE-426no 7.2 Red Hat Enterprise Linux 5, 6 (glibc)
CVE-2010-3864 CWE-362no 7.6 Red Hat Enterprise Linux 6 (openssl)
CVE-2010-3904 CWE-822no 7.2 Red Hat Enterprise Linux 5, 6 (kernel)
CVE-2010-4170 CWE-88no 7.2 Red Hat Enterprise Linux 4, 5, 6 (systemtap)
CVE-2010-4179 CWE-862yes 7.5 Red Hat Enterprise MRG (cumin)
CVE-2010-4344 CWE-120yes 7.5 Red Hat Enterprise Linux 4, 5 (exim)

* - in both these cases the outcome is not a buffer overflow as the possible overflow is detected and instead converted into an abort (DoS)

See also our 2010 analysis


The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors was published today listing the most widespread issues that lead to software vulnerabilities.

During the creation and review of the list we spent some time to see how closely last years list matched the types of flaws we deal with at Red Hat. We first looked at all the issues that Red Hat fixed across our entire product portfolio in the 2009 calendar year and filtered out those that had the highest severity. All our 2009 vulnerabilities have CVSS scores, so we filtered on those that have a CVSS base score of 7.0 or above[1].

There were 22 vulnerabilities that matched, and we mapped each one to the most appropriate CWE. This gives us 11 flaw types which led to the most severe flaws affecting Red Hat in 2009:

CWECWE DescriptionCWE/SANS
top 25?
Number of
Vulnerabilities
CWE-476NULL Pointer DereferenceNo (on cusp)6
CWE-120Buffer Copy without Checking Size of InputYes3
CWE-129Improper Validation of Array Index Yes3
CWE-131Incorrect Calculation of Buffer Size Yes3
CWE-78OS Command InjectionYes1
CWE-285Improper Access Control (Authorization)Yes1
CWE-362Race ConditionYes1
CWE-330 Use of Insufficiently Random Values No (on cusp)1
CWE-590Free of Memory not on the HeapNo1
CWE-672Use of a Resource after Expiration or ReleaseNo (on cusp)1
CWE-772Missing Release of Resource after Effective LifetimeNo (on cusp)1

10 of the 11 CWE are mentioned in the 2010 CWE/SANS document, although 4 of them are on "the cusp" and didn't make it into the top 25.

This quick review shows us that 2009 was the year of the kernel NULL pointer dereference flaw, as they could allow local untrusted users to gain privileges, and several public exploits to do just that were released. For Red Hat, interactions with SELinux prevented them being able to be easily mitigated, until the end of the year when we provided updates. Now, in 2010, the upstream Linux kernel and many vendors ship with protections to prevent kernel NULL pointers leading to privilege escalation. So although 2009 was the year where CWE-476 mattered to Linux administrators, it didn't make the SANS/CWE top 25 as this flaw type should not lead to severe issues (as long as the protections remain sufficient).

Here is a breakdown with the complete data set to show the CVSS scores and packages affected:

CVECWEtop 25?CVSS
base
Fixed in
CVE-2008-5182 CWE-362Yes 7.2Red Hat Enterprise Linux 5 (kernel)
CVE-2009-0065 CWE-129Yes 8.3Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-0692 CWE-120Yes 8.3Red Hat Enterprise Linux 3,4 (dhcp)
CVE-2009-0778 CWE-772No (on cusp) 7.1Red Hat Enterprise Linux 5 (kernel)
CVE-2009-0846 CWE-590No 9.3Red Hat Enterprise Linux 2.1, 3 (krb5) [2]
CVE-2009-1185 CWE-131Yes 7.2Red Hat Enterprise Linux 5 (udev)
CVE-2009-1385 CWE-129Yes 7.1Red Hat Enterprise Linux 3,4,5,MRG (kernel)
CVE-2009-1439 CWE-131Yes 7.1Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-1579 CWE-78Yes 7.5Red Hat Enterprise Linux 3,4,5 (squirrelmail)
CVE-2009-1633 CWE-131Yes 7.1Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-2406 CWE-120Yes 7.2Red Hat Enterprise Linux 5 (kernel)
CVE-2009-2407 CWE-120Yes 7.2Red Hat Enterprise Linux 5 (kernel)
CVE-2009-2692 CWE-476No (on cusp) 7.2Red Hat Enterprise Linux 3,4,5,MRG (kernel)
CVE-2009-2694 CWE-129Yes 7.5Red Hat Enterprise Linux 3,4,5 (pidgin)
CVE-2009-2698 CWE-476No (on cusp) 7.2Red Hat Enterprise Linux 3,4,5 (kernel)
CVE-2009-2848 CWE-672No (on cusp) 7.2Red Hat Enterprise Linux 3,4,5,MRG (kernel)
CVE-2009-2908 CWE-476No (on cusp) 7.2Red Hat Enterprise Linux 5 (kernel)
CVE-2009-3238 CWE-330No (on cusp) 7.8Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-3290 CWE-285Yes 7.2Red Hat Enterprise Linux 5 (kvm)
CVE-2009-3547 CWE-476No (on cusp) 7.2Red Hat Enterprise Linux 3,4,5,MRG (kernel)
CVE-2009-3620 CWE-476No (on cusp) 7.2Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-3726 CWE-476No (on cusp) 7.2Red Hat Enterprise Linux 5,MRG (kernel)

[1] NIST NVD rate vulnerabilities as "High" severity if they have a CVSS base score of 7.0-10.0. This ends up excluding flaws in web browsers such as Firefox which can have a maximum CVSS base score of 6.8.

[2] Red Hat Enterprise Linux 4 and 5 were also affected by this vulnerability, but with a lower CVSS base score of 4.3, due to the extra runtime pointer checking.

[ 1 ]

Hi! I'm Mark Cox. This blog gives my thoughts on security work, open source, home automation, and other topics.