[VIM] Vulnerability Type Distribution in CVE

Steven M. Christey coley at linus.mitre.org
Thu Sep 14 11:12:20 EDT 2006



Vulnerability Type Distribution in CVE
--------------------------------------
Date: September 14, 2006

FYI all, here's a working draft of the distribution of vulnerability
types within CVE.  I'll probably be writing something a little more
formal in the near future, but I wanted to get this out and in some
sufficiently public forum for the time being.  This was prompted by my
colleague Bob Martin's comments during "The Year of the web
application: Hack & Data from the Front lines" panel at the 5th Annual
Cyber Security Executive Summit in New York City on September 13.  As
many of you know, this general work has begun to morph into our Common
Weakness Enumeration (CWE).

If your favorite issue isn't in this list, then it probably hasn't
been seen often enough yet.  At some point in the future, as part of
CWE, we might wind up conducting a much more detailed classification.

=== KEY RESULT: RISE OF WEB APPLICATION VULNERABILITIES ===

One of the key results is the rise of web application vulnerabilities.

XSS has become the number 1 vulnerability of all time, at least in
CVE.

Buffer overflows were number 1 year after year, but that changed in
2005 with the rise of vulnerabilities that are found in web
applications, including XSS and SQL injection (although SQL injection
is not limited just to web apps).  And in fact, buffer overflows are
only #4 for 2006 so far.  There are probably several factors in this
rise:

1) The most basic data manipulations for these vulnerabilities are
   very simple to perform, e.g. "'" for SQL injection and
   "<script>alert('hi')</script>" for XSS.

2) There is a plethora of web applications that are freely available.
   Much of the code is alpha or beta, written by inexperienced
   programmers with easy-to-learn languages such as PHP.
   Consequently, it is very easy for beginning researchers to find new
   vulnerabilities in bad software.  I call these "fish-in-a-barrel"
   applications, because analyzing them is as easy as shooting fish in
   a barrel.

3) XSS, despite popular opinion, has many subtleties and variants, so
   even solid applications can have flaws in them (especially if you
   consider non-standard browser behaviors that try to "fix" malformed
   HTML that slips by filtering mechanisms).  Also, potentially every
   single input could be an XSS vector, which does not occur with
   other vulnerability types.  Finally, until recently, the PHP
   interpreter had a vulnerability in which it did not quote error
   messages, but many researchers only reported the surface-level
   "resultant" XSS instead of figuring out whether there was a
   different "primary" vulnerability that led to the error.

4) I'm not completely sure, but there is some evidence that over the
   past couple of years, web defacers have taken an interest in
   performing and publishing their own research.  This is probably due
   to the ease of finding vulnerabilities, combined with the presence
   of high-risk vulnerabilities such as PHP file inclusion, along with
   powerful backdoor code (written in PHP) that can be easily
   installed.

===== OTHER INTERESTING RESULTS =====

In 2006, the top 5 vulnerability types are responsible for about 65%
of all CVEs.

PHP remote file inclusion has been steadily gaining ground since 2001,
enough so that at this point in 2006, it's number 3.

Over the years, there has been a noticeable decline in shell
metacharacters, symbolic link following, and directory traversal.

Information leaks are fairly high.  There are 2 main reasons:
"information leak" is a fairly abstract class (see CWE for many
instances), and when an error message includes a full path, that is
usually categorized as an information leak.

The inability to handle malformed inputs, which usually leads to a
crash or hang, is also a fairly abstract class.  Malformed-input
vulnerabilities have not been studied as closely as injection
vulnerabilities, and many vulnerability reports don't specify how the
input was malformed.  There are likely cases where the researcher has
accidentally triggered another vulnerability, but didn't do any
diagnosis to really figure it out.

As the percentage of buffer overflows has declined, we have seen an
increase in related vulnerability types, including integer overflows,
signedness errors, and double frees.  These are still very
low-percentage, probably due to their relative newness and difficulty
of detection.

Other interesting web application vulnerabilities are webroot (storage
of sensitive files under the web document root), form-field (web
parameter tampering), upload of files with executable extensions
(e.g. file.php.gif), eval injection, and Cross-Site Request Forgery
(CSRF).

===== WEB PAGE - COLOR KEY =====

RED: a top 10 for that year

GREEN: during that year, the vulnerability's rank was at least 5
points BELOW average

YELLOW: the vulnerability's rank was at least 5 points ABOVE average

So, green on the left indicates vulns with RISING popularity, as will
yellow on the right.  Green on the right indicates vulns with FALLING
popularity, as will yellow on the left.

== NOTES ON POTENTIAL BIAS ==

2003's issues have 20% with vulns that are "not specified" by the CVE
analyst, which is inconsistent with stats from other years.  I
reviewed many of these vulns, and they are type "other."  Why such a
radical difference?  Since CVE is less complete in 2003 than for other
years, we probably focused more on priority issues than random
software.  This is just a guess, though.  I would like to address
CVE's 2003 gap at some point in the future.

Some vulnerability types are probably under-represented due to
classification difficulty.  For example, the "form-field" type (web
parameter tampering) might occasionally get classified as an
authentication error, depending on how the researcher reports the
issue.

Anyway, below are the stats in plaintext, and hopefully I've also
remembered to attach the HTML.


=======================================================================
=======================================================================

                         TOTAL        2001        2002        2003        2004        2005        2006
                        (16192)      (1434)      (2138)      (1173)      (2534)      (4538)      (4375)
                      ----------  ----------  ----------  ----------  ----------  ----------  ----------
[ 1] XSS              13.9% ( 1)  02.2% (11)  08.7% ( 2)  07.5% ( 2)  10.9% ( 2)  16.0% ( 1)  21.5% ( 1)
[ 2] buf              13.3% ( 2)  19.5% ( 1)  20.3% ( 1)  22.5% ( 1)  15.4% ( 1)  09.8% ( 3)  07.9% ( 4)
[ 3] sql-inject       08.7% ( 3)  00.4% (28)  01.8% (12)  03.0% ( 4)  05.5% ( 3)  12.9% ( 2)  14.0% ( 2)
[ 4] dot              04.7% ( 4)  08.9% ( 2)  05.1% ( 3)  02.9% ( 5)  04.1% ( 4)  04.3% ( 4)  04.4% ( 5)
[ 5] php-include      03.5% ( 5)  00.1% (32)  00.3% (30)  00.8% (16)  01.4% (10)  02.1% ( 6)  09.5% ( 3)
[ 6] infoleak         03.3% ( 6)  02.6% ( 9)  04.2% ( 5)  02.6% ( 7)  03.7% ( 5)  03.9% ( 5)  02.6% ( 6)
[ 7] dos-malform      02.9% ( 7)  04.8% ( 3)  05.1% ( 4)  02.5% ( 8)  03.4% ( 6)  01.8% ( 8)  02.0% ( 7)
[ 8] link             02.0% ( 8)  04.5% ( 4)  02.1% ( 9)  03.5% ( 3)  02.8% ( 7)  01.9% ( 7)  00.5% (16)
[ 9] format-string    01.8% ( 9)  03.2% ( 7)  01.8% (10)  02.7% ( 6)  02.4% ( 8)  01.7% ( 9)  01.0% (10)
[10] crypt            01.6% (10)  03.8% ( 5)  02.7% ( 6)  01.5% ( 9)  00.9% (16)  01.5% (10)  00.9% (13)
[11] priv             01.4% (11)  02.5% (10)  02.2% ( 8)  01.0% (12)  01.3% (11)  01.5% (11)  00.9% (12)
[12] metachar         01.3% (12)  03.8% ( 6)  02.6% ( 7)  00.7% (17)  01.0% (14)  01.3% (12)  00.3% (21)
[13] perm             01.3% (13)  02.7% ( 8)  01.8% (11)  01.3% (11)  00.9% (15)  01.1% (13)  01.1% ( 9)
[14] int-overflow     01.0% (14)  00.1% (30)  00.4% (26)  01.4% (10)  01.9% ( 9)  00.8% (14)  01.2% ( 8)
[15] dos-flood        00.8% (15)  02.0% (12)  01.7% (13)  00.5% (19)  01.2% (12)  00.2% (27)  00.4% (17)
[16] pass             00.8% (16)  01.1% (17)  01.3% (15)  00.2% (26)  01.1% (13)  00.8% (15)  00.4% (18)
[17] auth             00.8% (17)  01.5% (13)  01.3% (14)  00.5% (20)  00.7% (17)  00.5% (19)  00.7% (14)
[18] webroot          00.5% (18)  00.1% (29)  00.2% (31)  00.3% (25)  00.2% (29)  00.7% (16)  00.9% (11)
[19] form-field       00.5% (19)  00.7% (23)  00.8% (17)  00.5% (21)  00.2% (25)  00.4% (20)  00.5% (15)
[20] relpath          00.4% (20)  00.8% (22)  00.3% (29)  00.9% (14)  00.6% (18)  00.3% (23)  00.3% (20)
[21] race             00.4% (21)  00.5% (26)  00.4% (22)  00.6% (18)  00.4% (21)  00.6% (17)  00.3% (24)
[22] memleak          00.4% (22)  01.1% (18)  00.2% (32)  00.4% (22)  00.5% (19)  00.3% (22)  00.2% (26)
[23] msdos-device     00.4% (23)  01.0% (20)  00.6% (19)  00.9% (13)  00.2% (24)  00.2% (28)  00.0% (34)
[24] crlf             00.3% (24)  00.0%  N/A  00.2% (33)  00.1% (31)  00.5% (20)  00.4% (21)  00.3% (19)
[25] default          00.3% (26)  01.1% (16)  00.7% (18)  00.1% (32)  00.2% (26)  00.1% (33)  00.1% (29)
[26] spoof            00.3% (25)  01.0% (19)  00.3% (28)  00.1% (29)  00.1% (33)  00.2% (25)  00.3% (25)
[27] sandbox          00.3% (27)  01.2% (15)  01.0% (16)  00.0%  N/A  00.2% (31)  00.0% (34)  00.0%  N/A
[28] rand             00.3% (28)  01.2% (14)  00.6% (20)  00.3% (24)  00.2% (32)  00.0% (35)  00.2% (27)
[29] upload           00.3% (29)  00.0%  N/A  00.0% (36)  00.1% (30)  00.2% (27)  00.5% (18)  00.3% (22)
[30] signedness       00.2% (30)  00.1% (31)  00.4% (23)  00.8% (15)  00.2% (22)  00.3% (24)  00.0% (32)
[31] dos-release      00.2% (31)  00.9% (21)  00.5% (21)  00.2% (27)  00.2% (28)  00.0%  N/A  00.0%  N/A
[32] CF               00.2% (32)  00.7% (24)  00.3% (27)  00.2% (28)  00.0%  N/A  00.1% (31)  00.1% (28)
[33] eval-inject      00.2% (33)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0% (35)  00.2% (26)  00.3% (23)
[34] design           00.1% (34)  00.6% (25)  00.4% (24)  00.1% (33)  00.0% (34)  00.1% (32)  00.0% (31)
[35] double-free      00.1% (35)  00.0%  N/A  00.1% (35)  00.3% (23)  00.2% (23)  00.1% (30)  00.1% (30)
[36] CSRF             00.1% (37)  00.0%  N/A  00.0% (37)  00.0%  N/A  00.2% (30)  00.2% (29)  00.0% (33)
[37] type-check       00.1% (36)  00.4% (27)  00.4% (25)  00.0%  N/A  00.0%  N/A  00.0% (36)  00.0% (35)
[38] none             00.0% (38)  00.0%  N/A  00.1% (34)  00.0%  N/A  00.0%  N/A  00.0%  N/A  00.0%  N/A


UNKNOWN/UNSPECIFIED ITEMS
------------------------
unk              09.0%  N/A  07.9%  N/A  07.1%  N/A  07.0%  N/A  08.2%  N/A  08.9%  N/A  11.5%  N/A
other            15.2%  N/A  16.7%  N/A  19.0%  N/A  11.8%  N/A  17.2%  N/A  13.1%  N/A  14.9%  N/A
not-specified    06.9%  N/A  00.1%  N/A  03.0%  N/A  20.5%  N/A  11.3%  N/A  11.3%  N/A  00.3%  N/A






Flaw Terminology
-------------------
Type: other
Rank: [N/A]
Total vulns: 2467
Desc:

Other vulnerability; issue could not be described in version of
taxonomy that was available at the time the flaw type was determined.

-------------------------------------
Type: XSS
Rank: [1]
Total vulns: 2247
Desc:

Cross-site scripting (aka XSS)

-------------------------------------
Type: buf
Rank: [2]
Total vulns: 2156
Desc:

Buffer overflow

-------------------------------------
Type: unk
Rank: [N/A]
Total vulns: 1461
Desc:

Unknown vulnerability; report is too vague, or issue could not be
described in version of taxonomy that was available at the time the
flaw type was determined.

-------------------------------------
Type: sql-inject
Rank: [3]
Total vulns: 1416
Desc:

SQL injection vulnerability

-------------------------------------
Type: not-specified
Rank: [N/A]
Total vulns: 1119
Desc:

The analyst has not assigned a flaw type to the issue.

-------------------------------------
Type: dot
Rank: [4]
Total vulns: 764
Desc:

Directory traversal (file access via ".." or variants)

-------------------------------------
Type: php-include
Rank: [5]
Total vulns: 561
Desc:

PHP remote file inclusion

-------------------------------------
Type: infoleak
Rank: [6]
Total vulns: 540
Desc:

Information leak by a product, which is not the result of another
vulnerability; typically by design or by producing different "answers"
that suggest the state; often related to configuration / permissions
or error reporting/handling.

-------------------------------------
Type: dos-malform
Rank: [7]
Total vulns: 463
Desc:

DoS caused by malformed input

-------------------------------------
Type: link
Rank: [8]
Total vulns: 329
Desc:

Symbolic link following

-------------------------------------
Type: format-string
Rank: [9]
Total vulns: 296
Desc:

Format string vulnerability; user can inject format specifiers during
string processing.

-------------------------------------
Type: crypt
Rank: [10]
Total vulns: 261
Desc:

Cryptographic error (poor design or implementation)

-------------------------------------
Type: priv
Rank: [11]
Total vulns: 233
Desc:

Bad privilege assignment, or privileged process/action is
unprotected/unauthenticated.

-------------------------------------
Type: metachar
Rank: [12]
Total vulns: 218
Desc:

Unescaped shell metacharacters or other unquoted "special" char's;
currently includes SQL injection but not XSS.

-------------------------------------
Type: perm
Rank: [13]
Total vulns: 215
Desc:

Assigns bad permissions, improperly calculates permissions, or
improperly checks permissions

-------------------------------------
Type: int-overflow
Rank: [14]
Total vulns: 160
Desc:

A numeric value can be incremented to the point where it overflows and
begins at the minimum value, with security implications.  Overlaps
signedness errors.

-------------------------------------
Type: dos-flood
Rank: [15]
Total vulns: 131
Desc:

DoS caused by flooding with a large number of *legitimately formatted*
requests/etc.; normally DoS is a crash, or spending a lot more time on
a task than it "should"

-------------------------------------
Type: pass
Rank: [16]
Total vulns: 125
Desc:

Default password

-------------------------------------
Type: auth
Rank: [17]
Total vulns: 124
Desc:

Weak/bad authentication problem

-------------------------------------
Type: webroot
Rank: [18]
Total vulns: 88
Desc:

Storage of sensitive data under web document root with insufficient
access control.

-------------------------------------
Type: form-field
Rank: [19]
Total vulns: 81
Desc:

CGI program inherently trusts form field that should not be modified
(i.e. should be stored locally)

-------------------------------------
Type: relpath
Rank: [20]
Total vulns: 71
Desc:

Untrusted search path vulnerability - Relies on search paths to find
other executable programs or files, opening up to Trojan horse
attacks, e.g. PATH environment variable in Unix.

-------------------------------------
Type: race
Rank: [21]
Total vulns: 69
Desc:

General race condition (NOT SYMBOLIC LINK FOLLOWING (link)!)

-------------------------------------
Type: memleak
Rank: [22]
Total vulns: 61
Desc:

Memory leak (doesn't free memory when it should); use this instead of
dos-release

-------------------------------------
Type: msdos-device
Rank: [23]
Total vulns: 57
Desc:

Problem due to file names with MS-DOS device names.

-------------------------------------
Type: crlf
Rank: [24]
Total vulns: 49
Desc:

-------------------------------------
Type: spoof
Rank: [25]
Total vulns: 48
Desc:

Product is vulnerable to spoofing attacks, generally by not properly
verifying authenticity.

-------------------------------------
Type: default
Rank: [26]
Total vulns: 48
Desc:

Insecure default configuration, e.g. passwords or permissions

-------------------------------------
Type: sandbox
Rank: [27]
Total vulns: 46
Desc:

Java/etc. sandbox escape - NOT BY DOT-DOT!

-------------------------------------
Type: rand
Rank: [28]
Total vulns: 45
Desc:

Generation of insufficiently random numbers, typically by using easily
guessable sources of "random" data

-------------------------------------
Type: upload
Rank: [29]
Total vulns: 43
Desc:

-------------------------------------
Type: signedness
Rank: [30]
Total vulns: 38
Desc:

Signedness error; a numeric value in one format/representation is
improperly handled when it is used as if it were another
format/representation.  Overlaps integer overflows and array index
errors.

-------------------------------------
Type: dos-release
Rank: [31]
Total vulns: 30
Desc:

DoS because system does not properly release resources

-------------------------------------
Type: CF
Rank: [32]
Total vulns: 29
Desc:

General configuration problem

-------------------------------------
Type: eval-inject
Rank: [33]
Total vulns: 25
Desc:

Eval injection

-------------------------------------
Type: design
Rank: [34]
Total vulns: 23
Desc:

Design problem, generally in protocols or programming languages

-------------------------------------
Type: double-free
Rank: [35]
Total vulns: 21
Desc:

Double-free vulnerability

-------------------------------------
Type: type-check
Rank: [36]
Total vulns: 16
Desc:

Product incorrectly identifies the type of an input parameter or file,
then dispatches the wrong "executable" (possibly itself) to process
the input, or otherwise misrepresents the input in a security-critical
way.

-------------------------------------
Type: CSRF
Rank: [37]
Total vulns: 16
Desc:

-------------------------------------
Type: none
Rank: [38]
Total vulns: 2
Desc:

-------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flaw-stats.html
Type: application/octet-stream
Size: 14946 bytes
Desc: 
Url : http://www.attrition.org/pipermail/vim/attachments/20060914/42b97c1d/attachment-0001.obj 


More information about the VIM mailing list