Back to Blog
An Analysis of Recent Changes to MITRE’s CWE Database

An Analysis of Recent Changes to MITRE's CWE Database

The ever-expanding universe of cybersecurity threats plaguing embedded systems today is  only getting more dangerous, costly, and pervasive with every year that passes.

In fact, cybercrime costs organizations $2.9 million every minute. In addition, research conducted by IBM found that, on average, it takes 280 days to find and contain a typical cyberattack. That’s nearly a year of time during which a cybercriminal can be doing anything they please, from stealing confidential data to causing physical damage. 

So, if you’re responsible for product security and need to understand and address this seemingly endless universe of threats, where do you start?

In an effort to answer this question, the MITRE Corporation maintains the Common Vulnerabilities and Exposure (CVE) database. The CVE database is a publicly-available, community-developed list of software and hardware vulnerabilities. This database was started in conjunction with the Department of Homeland Security in 1999.  As it grew, it soon became apparent that we needed a better way to group and analyze this data. So, in 2006, the Common Weakness Enumeration (CWE) database was created to help organize the universe of vulnerabilities into categories, or types of weaknesses. 

The CWE database has grown and evolved a lot since its inception. In the last year alone, we saw some of the most significant changes yet, including interesting trends in software CWEs, the addition of hardware weaknesses, and a new release of the ATT&CK framework. 

Majority of Software CWE Growth Concentrated Across Three Types of Threats

MITRE’s software database grew by over 24,000 CVEs and nearly 50 CWEs from 2020 to 2021. However, the majority of that growth was concentrated across three types of threats.

The first major area of growth is buffer overflows. Buffer overflows happen when data is written or read outside the bounds of a memory buffer. They are one of the most common and severe types of attacks and we’ve seen continual growth in this category year-over-year. For instance, CWE-787 Out-of-Bounds Write more than tripled in the last year. This is the same CWE to which the infamous Heartbleed buffer overflow attack is attributed. In fact, CWE-787 tops the charts of MITRE’s Top 25 Most Dangerous Software Weaknesses.

Because of the popularity of buffer overflow attacks, MITRE recently created entirely new CWEs that are specifically dedicated to buffer overflows on stack memory vs. heap memory. That’s not to say stack and heap buffer overflows weren’t already being recorded, it’s just that they were grouped under more class-based, broadly-defined buffer overflow CWEs. This distinction is in keeping with MITRE’s effort to move away from abstract CWEs and focus on more specific types of attacks. 

We also saw significant growth in SQL injection attacks (#6 on MITRE’s top 25 list). A SQL injection attack is when malicious code is inserted into an application. Their significant growth is likely explained by the fact that they can be a big money target. Infamous SQL injection attacks, like Equifax and the Office of Personnel Management breach, showed the world what was possible—the potential to steal hundreds of millions of private records—and now others are following suit. 

The third area of growth seen in the last year is an increase in web attacks. Four CWEs out of MITRE’s top 25 list are website attacks. Unfortunately, the prevalence of web attacks is due to the fact that websites tend to be easy targets. Luckily, the impact of a web attack is typically minimal. 

In addition, we also noticed an increase in presumably self-reported vulnerabilities in code that were never exploited in the wild. Long gone are the days where cybersecurity can be an afterthought for chip and device manufacturers. Now, it’s becoming more common for organizations to self-report when they find a flaw in their code, getting ahead of potential bad actors before it can be used in a real attack.

Attacks like Spectre & Meltdown Made Cataloging Hardware CWEs Imperative

One of the biggest changes to MITRE’s database in the last year is the addition of hardware CWEs. Previously, MITRE was only tracking software vulnerabilities and weakness types. But with prominent hardware-based attacks, like Spectre and Meltdown, the addition of hardware vulnerabilities became imperative. MITRE started tracking hardware CWEs in February 2020

Since their introduction, the hardware database has grown to over 100 CVEs, across 12 categories. This may not sound like much when compared to the size of the software database, but it’s still in its infancy and will grow exponentially over time. 

In a recent webinar, Jason Oberg, Co-Founder & CTO of Tortuga Logic, highlighted some of the trends he’s seen in the hardware CWE database. He noted that some of the top hardware CWEs are things like physical attacks which include power side channel attacks and fault injection.  These types of attacks and weaknesses are usually the first to come to mind when we think of hardware CWEs.

However, other common hardware weaknesses in the wild today are CWEs like chip debug, which includes flaws like misconfigured secure debug or exposed external debug (JTAG). In addition, he saw that access control flaws were common including things like overlapping memory regions and System-On-a-Chip access control. Also falling under the umbrella of access control are chicken bits, which are undocumented functionality that can turn on and off certain features, and misconfigured hardware locking. 

The cataloging and analysis of hardware CWEs is critical to the future of more secure embedded systems. Because vulnerabilities in hardware are more difficult, or even impossible, to correct once a system is deployed, these vulnerabilities need to be identified and addressed during the development process. 

Newest Release of MITRE’s ATT&CK Framework

The final development was the release of a new version of MITRE’s ATT&CK Framework. This framework aims to tackle the same issue as the CWE database, but with a slightly different approach. The ATT&CK framework is a community-developed and publicly accessible knowledge base of adversarial tactics that attackers use to exploit vulnerabilities and execute a cyberattack.  This includes everything from reconnaissance to privilege escalation to defense evasion.

Ultimately, the ATT&CK framework is just another tool available to you when you’re trying to understand your threat universe. 

Once you understand your relevant threats, how do you use that information to identify the appropriate mitigating defense mechanisms and evaluate their effectiveness?

That’s where Dover’s Analytical Framework comes in.

A Framework to Evaluate the Effectiveness of Cybersecurity Defense Mechanisms

Our framework takes MITRE’s CWE database and labels each CWE with an appropriate mitigating defense mechanism, if there is one. Then, we organized the CWEs together based on this categorization. For example, there are 29 different CWEs that all can be addressed with the defense mechanism category of “Memory Safety.” If a cybersecurity solution is effective, it could block most, if not all, CVEs in that group.

This framework enables vendors, analysts, and users to cut through the inconsistent terminology and make a side-by-side comparison of the effectiveness of different cybersecurity systems based on the defense mechanisms employed.

To learn more about the Dover’s Analytical Framework and see the breakdown of CVE and CWE coverage by defense mechanism, download our white paper, today.

Share This Post

More from Dover

PublishedAugust 17, 2021

 

The threat universe for embedded systems is seemingly endless. To try to make sense of it all, we turn to MITRE’s CWE database. It’s a publicly-available, community-developed list of software and hardware weaknesses. Its purpose is to serve as...

Security CoreGuard Defense-in-Depth