WebApp Sec mailing list archives

Re: Vulnerability statistics

From: "Steven M. Christey" <coley () mitre org>
Date: Mon, 10 Jan 2005 20:09:22 -0500 (EST)

All,

As a part of some ongoing informal work I've done in vulnerability
classification, specific flaw types have been recorded in CVE data for
the past couple years.  This breaks down into about 20 or 25
categories, with approximately 25% being uncategorizable due to (1)
lack of information regarding the issue (thus Michael Howard's
difficulties), (2) flaw complexity, or (3) the flaw is outside the
given set of categories.

For those who are concerned with web application security itself, note
that some web-specific flaw types aren't yet captured in CVE's
internal flaw data, such as PHP code injection (as I've said, this has
been an informal project).  It is also interesting to note that the
stats for software overall can vary widely from those stats related to
web apps specifically; consider buffer overflows, which are
effectively nonexistent in applications that use scripted languages
(except where such scripts interface with other components).

Adam Shostack is correct in his commentary regarding some of the bias
in CVE, especially regarding CVE's focus on widely deployed software
(we have been working on improving our comprehensiveness to include
all software).

Another source of fairly unpreventable bias is in the researcher
community itself.  There are sometimes research "fads" in which people
focus on one or two new or interesting bug types; and each researcher
has his/her own skill set for finding particular kinds of bugs
(witness the results of DJ Bernstein's class, which found a mostly
narrow set of bugs).  Consider the top researchers, who often focus on
finding new classes of vulnerabilities, or in studying software that
has already been through stringent security development and testing
(relatively speaking, at least).

There are also terminological difficulties that can further bias the
data.  For example, integer overflows are often labeled "buffer
overflows;" where available, we've tried to make this distinction in
CVE descriptions by discussing "integer overflows that lead to buffer
overflows," and doing similar things with other bug types that use
buffer overflow attacks for exploitation (so Michael, double-check
your script ;-)

The lack of terminological precision can also skew the results.

Some examples:

  - "malformed input" is often blamed, without any further details;
    but there are many ways that input can be malformed.  Thus this is
    a very broad category.  Similar is "denial of service
    vulnerability" (which is a misnomer since DoS is the *result* not
    the *cause*)

  - Microsoft's security bulletins sometimes mention an "unchecked
    buffer" (MS04-045/CAN-2004-0567), which might technically be a
    buffer overflow, but not a classic style overflow if you're doing
    things like tampering with length fields; an open source example
    is CAN-2003-0695, which describes "buffer management errors."
    This might not be a big deal if you only care about broad
    categories, but it's important if you want to statistically
    demonstrate whether classic overflows are declining in popularity
    or not (I strongly suspect they are, but can't prove it because
    lots of reports just use "buffer overflow").

Finally, since this project has been informal, our internal processes
have not enforced the entry of a flaw type into each new CVE item
(although it's common practice).

These are some of the reasons why I haven't published any more
specific papers or descriptions of flaw trends based on CVE data,
although there were some interesting results that I described in a
presentation at the "Open Source Security Summit" in 2002.  That
presentation also showed some differences in flaw types between open
and closed source software, perhaps related to the use of static
vs. dynamic auditing methods and tools.

All that said - and with major disclaimers that this data is only
SUGGESTIVE and not AUTHORITATIVE, especially with respect to JUST web
bugs, and with the aforementioned BIASES - below are some more precise
statistics based on the past few years of CVE data.  People who've
seen CVE-based flaw stats in the past will notice the addition of
several new categories in this round.


Regards,
Steve Christey
CVE Editor



                         2002        2003        2004        TOTAL    
                        (1495)      ( 906)      (1194)      (3595)   
                      ----------  ----------  ----------  ---------- 
[ 1] buf              22.0% ( 1)  22.5% ( 1)  17.8% ( 1)  20.8% ( 1)
[ 2] CSS              07.9% ( 2)  06.1% ( 2)  05.7% ( 2)  06.7% ( 2)
[ 3] dos-malform      05.8% ( 3)  01.5% ( 7)  03.2% ( 4)  03.8% ( 3)
[ 4] dot              05.6% ( 4)  02.2% ( 6)  02.4% ( 8)  03.7% ( 4)
[ 5] link             02.5% ( 8)  03.2% ( 4)  04.2% ( 3)  03.3% ( 5)
[ 6] infoleak         03.7% ( 5)  01.5% ( 8)  02.3% ( 9)  02.7% ( 6)
[ 7] format-string    02.0% (10)  03.2% ( 3)  02.8% ( 5)  02.6% ( 7)
[ 8] sql-inject       01.7% (11)  02.8% ( 5)  02.5% ( 7)  02.3% ( 8)
[ 9] priv             02.7% ( 7)  00.7% (13)  01.3% (10)  01.7% ( 9)
[10] metachar         02.8% ( 6)  00.7% (14)  00.9% (12)  01.6% (10)
[11] int-overflow     00.5% (20)  01.4% ( 9)  02.8% ( 6)  01.5% (11)
[12] crypt            02.4% ( 9)  01.1% (10)  00.5% (15)  01.4% (12)
[13] perm             01.3% (15)  00.6% (15)  00.9% (11)  01.0% (13)
[14] auth             01.3% (14)  00.6% (16)  00.3% (20)  00.8% (14)
[15] dos-flood        01.3% (13)  00.2% (22)  00.3% (21)  00.7% (15)
[16] sandbox          01.4% (12)  00.0%  N/A  00.2% (24)  00.6% (16)
[17] pass             00.8% (17)  00.0%  N/A  00.8% (13)  00.6% (17)
[18] signedness       00.4% (23)  00.9% (11)  00.4% (19)  00.5% (18)
[19] relpath          00.3% (26)  00.4% (17)  00.8% (14)  00.5% (19)
[20] form-field       00.9% (16)  00.0%  N/A  00.3% (22)  00.4% (20)
[21] msdos-device     00.5% (21)  00.8% (12)  00.2% (25)  00.4% (21)
[22] race             00.4% (24)  00.3% (20)  00.4% (18)  00.4% (22)
[23] memleak          00.2% (29)  00.4% (18)  00.5% (16)  00.4% (23)
[24] double-free      00.1% (31)  00.4% (19)  00.5% (17)  00.3% (24)
[25] rand             00.6% (18)  00.1% (23)  00.1% (26)  00.3% (25)
[26] spoof            00.5% (22)  00.1% (24)  00.0%  N/A  00.2% (26)
[27] type-check       00.5% (19)  00.0%  N/A  00.0%  N/A  00.2% (27)
[28] default          00.4% (25)  00.1% (27)  00.0%  N/A  00.2% (28)
[29] dos-release      00.2% (30)  00.2% (21)  00.2% (23)  00.2% (29)
[30] CF               00.3% (27)  00.1% (25)  00.0%  N/A  00.2% (30)
[31] design           00.3% (28)  00.0%  N/A  00.0%  N/A  00.1% (31)
[32] path             00.0%  N/A  00.1% (26)  00.0%  N/A  00.0% (32)


UNKNOWN/UNSPECIFIED ITEMS
------------------------
unk              06.8%  N/A  02.3%  N/A  04.6%  N/A  05.0%  N/A
other            15.7%  N/A  02.8%  N/A  14.0%  N/A  11.9%  N/A
not-specified    06.1%  N/A  42.6%  N/A  29.0%  N/A  22.9%  N/A






Flaw Terminology
-------------------
Type: CF
Rank: [1]
Total vulns: 6
Desc:

General configuration problem

-------------------------------------
Type: dos-malform
Rank: [2]
Total vulns: 138
Desc:

DoS caused by malformed input

-------------------------------------
Type: dos-flood
Rank: [3]
Total vulns: 26
Desc:

DoS caused by flooding with a large number of *legitimately formatted*
requests/etc.; normally DoS is a crash, or spending a lot more time on
a task than it "should"

-------------------------------------
Type: pass
Rank: [4]
Total vulns: 21
Desc:

Default password

-------------------------------------
Type: sandbox
Rank: [5]
Total vulns: 23
Desc:

Java/etc. sandbox escape - NOT BY DOT-DOT!

-------------------------------------
Type: signedness
Rank: [6]
Total vulns: 19
Desc:

Signedness error; a numeric value in one format/representation is
improperly handled when it is used as if it were another
format/representation.  Overlaps integer overflows and array index
errors.

-------------------------------------
Type: metachar
Rank: [7]
Total vulns: 59
Desc:

unescaped shell metacharacters or other unquoted "special" char's;
currently includes SQL injection but not XSS.

-------------------------------------
Type: double-free
Rank: [8]
Total vulns: 12
Desc:

Double-free vulnerability

-------------------------------------
Type: other
Rank: [N/A]
Total vulns: 427
Desc:

Other vulnerability; issue could not be described in version of
taxonomy that was available at the time the flaw type was determined.

-------------------------------------
Type: spoof
Rank: [9]
Total vulns: 8
Desc:

Product is vulnerable to spoofing attacks, generally by not properly
verifying authenticity.

-------------------------------------
Type: path
Rank: [10]
Total vulns: 1
Desc:

OBSOLETE.  Reveals real pathname for files/etc.

-------------------------------------
Type: design
Rank: [11]
Total vulns: 4
Desc:

design problem, generally in protocols or programming languages

-------------------------------------
Type: sql-inject
Rank: [12]
Total vulns: 81
Desc:

SQL injection vulnerability

-------------------------------------
Type: infoleak
Rank: [13]
Total vulns: 98
Desc:

"intentional" information leak by product, i.e. not as the result of
another vulnerability; typically by design or by producing different
"answers" that suggest the state; often related to configuration /
permissions or error reporting/handling.

-------------------------------------
Type: form-field
Rank: [14]
Total vulns: 16
Desc:

CGI program inherently trusts form field that should not be modified
(i.e. stored locally)

-------------------------------------
Type: dos-release
Rank: [15]
Total vulns: 7
Desc:

DoS because system does not properly release resources

-------------------------------------
Type: CSS
Rank: [16]
Total vulns: 241
Desc:

Cross-site scripting (aka XSS or CSS)

-------------------------------------
Type: priv
Rank: [17]
Total vulns: 62
Desc:

Bad privilege assignment, or privileged process/action is
unprotected/unauthenticated.

-------------------------------------
Type: unk
Rank: [N/A]
Total vulns: 178
Desc:

Unknown vulnerability; report is too vague, or issue could not be
described in version of taxonomy that was available at the time the
flaw type was determined.

-------------------------------------
Type: msdos-device
Rank: [18]
Total vulns: 16
Desc:

Problem due to file names with MS-DOS device names.

-------------------------------------
Type: int-overflow
Rank: [19]
Total vulns: 54
Desc:

a numeric value can be incremented to the point where it overflows and
begins at the minimum value, with security implications.  Overlaps
signedness errors.

-------------------------------------
Type: memleak
Rank: [20]
Total vulns: 13
Desc:

memory leak (doesn't free memory when it should); use this instead of
dos-release

-------------------------------------
Type: default
Rank: [21]
Total vulns: 7
Desc:

Insecure default configuration, e.g. passwords or permissions

-------------------------------------
Type: rand
Rank: [22]
Total vulns: 11
Desc:

Generation of insufficiently random numbers, typically by using easily
guessable sources of "random" data

-------------------------------------
Type: relpath
Rank: [23]
Total vulns: 18
Desc:

relies on search paths to find other executable programs or files,
opening up to Trojan horse attacks, e.g. PATH environment variable in
Unix.

-------------------------------------
Type: type-check
Rank: [24]
Total vulns: 8
Desc:

Product incorrectly identifies the type of an input parameter or file,
then dispatches the wrong "executable" (possibly itself) to process
the input, or otherwise misrepresents the input in a security-critical
way.

-------------------------------------
Type: link
Rank: [25]
Total vulns: 117
Desc:

symbolic link following

-------------------------------------
Type: auth
Rank: [26]
Total vulns: 29
Desc:

Weak/bad authentication problem

-------------------------------------
Type: buf
Rank: [27]
Total vulns: 746
Desc:

buffer overflow

-------------------------------------
Type: format-string
Rank: [28]
Total vulns: 93
Desc:

Format string vulnerability; user can inject format specifiers during
string processing.

-------------------------------------
Type: race
Rank: [29]
Total vulns: 14
Desc:

general race condition (NOT SYMBOLIC LINK FOLLOWING (link)!)

-------------------------------------
Type: crypt
Rank: [30]
Total vulns: 52
Desc:

Cryptographic error (poor design or implementation)

-------------------------------------
Type: dot
Rank: [31]
Total vulns: 132
Desc:

directory traversal (file access via ".." or variants)

-------------------------------------
Type: perm
Rank: [32]
Total vulns: 35
Desc:

assigns bad permissions, improperly calculates permissions, or
improperly checks permissions

-------------------------------------
Type: not-specified
Rank: [N/A]
Total vulns: 823
Desc:

The analyst has not assigned a flaw type to the issue.

-------------------------------------
Current thread:

RE: Vulnerability statistics Michael Howard (Jan 07)
- Re: Vulnerability statistics Adam Shostack (Jan 08)
- <Possible follow-ups>
- Re: Vulnerability statistics Steven M. Christey (Jan 14)
- RE: Vulnerability statistics Michael Howard (Jan 16)