mark :: blog

16 Feb 2010: Red Hat's Top 11 Most Serious Flaw Types for 2009

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors was published today listing the most widespread issues that lead to software vulnerabilities.

During the creation and review of the list we spent some time to see how closely last years list matched the types of flaws we deal with at Red Hat. We first looked at all the issues that Red Hat fixed across our entire product portfolio in the 2009 calendar year and filtered out those that had the highest severity. All our 2009 vulnerabilities have CVSS scores, so we filtered on those that have a CVSS base score of 7.0 or above^[1].

There were 22 vulnerabilities that matched, and we mapped each one to the most appropriate CWE. This gives us 11 flaw types which led to the most severe flaws affecting Red Hat in 2009:

CWE CWE Description CWE/SANS
top 25? Number of
Vulnerabilities

CWE-476 NULL Pointer Dereference No (on cusp) 6

CWE-120 Buffer Copy without Checking Size of Input Yes 3

CWE-129 Improper Validation of Array Index Yes 3

CWE-131 Incorrect Calculation of Buffer Size Yes 3

CWE-78 OS Command Injection Yes 1

CWE-285 Improper Access Control (Authorization) Yes 1

CWE-362 Race Condition Yes 1

CWE-330 Use of Insufficiently Random Values No (on cusp) 1

CWE-590 Free of Memory not on the Heap No 1

CWE-672 Use of a Resource after Expiration or Release No (on cusp) 1

CWE-772 Missing Release of Resource after Effective Lifetime No (on cusp) 1

CWE	CWE Description	CWE/SANS top 25?	Number of Vulnerabilities
CWE-476	NULL Pointer Dereference	No (on cusp)	6
CWE-120	Buffer Copy without Checking Size of Input	Yes	3
CWE-129	Improper Validation of Array Index	Yes	3
CWE-131	Incorrect Calculation of Buffer Size	Yes	3
CWE-78	OS Command Injection	Yes	1
CWE-285	Improper Access Control (Authorization)	Yes	1
CWE-362	Race Condition	Yes	1
CWE-330	Use of Insufficiently Random Values	No (on cusp)	1
CWE-590	Free of Memory not on the Heap	No	1
CWE-672	Use of a Resource after Expiration or Release	No (on cusp)	1
CWE-772	Missing Release of Resource after Effective Lifetime	No (on cusp)	1

10 of the 11 CWE are mentioned in the 2010 CWE/SANS document, although 4 of them are on "the cusp" and didn't make it into the top 25.

This quick review shows us that 2009 was the year of the kernel NULL pointer dereference flaw, as they could allow local untrusted users to gain privileges, and several public exploits to do just that were released. For Red Hat, interactions with SELinux prevented them being able to be easily mitigated, until the end of the year when we provided updates. Now, in 2010, the upstream Linux kernel and many vendors ship with protections to prevent kernel NULL pointers leading to privilege escalation. So although 2009 was the year where CWE-476 mattered to Linux administrators, it didn't make the SANS/CWE top 25 as this flaw type should not lead to severe issues (as long as the protections remain sufficient).

Here is a breakdown with the complete data set to show the CVSS scores and packages affected:

CVE CWE top 25? CVSS
base Fixed in

CVE-2008-5182 CWE-362 Yes 7.2 Red Hat Enterprise Linux 5 (kernel)

CVE-2009-0065 CWE-129 Yes 8.3 Red Hat Enterprise Linux 4,5,MRG (kernel)

CVE-2009-0692 CWE-120 Yes 8.3 Red Hat Enterprise Linux 3,4 (dhcp)

CVE-2009-0778 CWE-772 No (on cusp) 7.1 Red Hat Enterprise Linux 5 (kernel)

CVE-2009-0846 CWE-590 No 9.3 Red Hat Enterprise Linux 2.1, 3 (krb5) ^[2]

CVE-2009-1185 CWE-131 Yes 7.2 Red Hat Enterprise Linux 5 (udev)

CVE-2009-1385 CWE-129 Yes 7.1 Red Hat Enterprise Linux 3,4,5,MRG (kernel)

CVE-2009-1439 CWE-131 Yes 7.1 Red Hat Enterprise Linux 4,5,MRG (kernel)

CVE-2009-1579 CWE-78 Yes 7.5 Red Hat Enterprise Linux 3,4,5 (squirrelmail)

CVE-2009-1633 CWE-131 Yes 7.1 Red Hat Enterprise Linux 4,5,MRG (kernel)

CVE-2009-2406 CWE-120 Yes 7.2 Red Hat Enterprise Linux 5 (kernel)

CVE-2009-2407 CWE-120 Yes 7.2 Red Hat Enterprise Linux 5 (kernel)

CVE-2009-2692 CWE-476 No (on cusp) 7.2 Red Hat Enterprise Linux 3,4,5,MRG (kernel)

CVE-2009-2694 CWE-129 Yes 7.5 Red Hat Enterprise Linux 3,4,5 (pidgin)

CVE-2009-2698 CWE-476 No (on cusp) 7.2 Red Hat Enterprise Linux 3,4,5 (kernel)

CVE-2009-2848 CWE-672 No (on cusp) 7.2 Red Hat Enterprise Linux 3,4,5,MRG (kernel)

CVE-2009-2908 CWE-476 No (on cusp) 7.2 Red Hat Enterprise Linux 5 (kernel)

CVE-2009-3238 CWE-330 No (on cusp) 7.8 Red Hat Enterprise Linux 4,5,MRG (kernel)

CVE-2009-3290 CWE-285 Yes 7.2 Red Hat Enterprise Linux 5 (kvm)

CVE-2009-3547 CWE-476 No (on cusp) 7.2 Red Hat Enterprise Linux 3,4,5,MRG (kernel)

CVE-2009-3620 CWE-476 No (on cusp) 7.2 Red Hat Enterprise Linux 4,5,MRG (kernel)

CVE-2009-3726 CWE-476 No (on cusp) 7.2 Red Hat Enterprise Linux 5,MRG (kernel)

CVE	CWE	top 25?	CVSS base	Fixed in
CVE-2008-5182	CWE-362	Yes	7.2	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-0065	CWE-129	Yes	8.3	Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-0692	CWE-120	Yes	8.3	Red Hat Enterprise Linux 3,4 (dhcp)
CVE-2009-0778	CWE-772	No (on cusp)	7.1	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-0846	CWE-590	No	9.3	Red Hat Enterprise Linux 2.1, 3 (krb5) ^[2]
CVE-2009-1185	CWE-131	Yes	7.2	Red Hat Enterprise Linux 5 (udev)
CVE-2009-1385	CWE-129	Yes	7.1	Red Hat Enterprise Linux 3,4,5,MRG (kernel)
CVE-2009-1439	CWE-131	Yes	7.1	Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-1579	CWE-78	Yes	7.5	Red Hat Enterprise Linux 3,4,5 (squirrelmail)
CVE-2009-1633	CWE-131	Yes	7.1	Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-2406	CWE-120	Yes	7.2	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-2407	CWE-120	Yes	7.2	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-2692	CWE-476	No (on cusp)	7.2	Red Hat Enterprise Linux 3,4,5,MRG (kernel)
CVE-2009-2694	CWE-129	Yes	7.5	Red Hat Enterprise Linux 3,4,5 (pidgin)
CVE-2009-2698	CWE-476	No (on cusp)	7.2	Red Hat Enterprise Linux 3,4,5 (kernel)
CVE-2009-2848	CWE-672	No (on cusp)	7.2	Red Hat Enterprise Linux 3,4,5,MRG (kernel)
CVE-2009-2908	CWE-476	No (on cusp)	7.2	Red Hat Enterprise Linux 5 (kernel)
CVE-2009-3238	CWE-330	No (on cusp)	7.8	Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-3290	CWE-285	Yes	7.2	Red Hat Enterprise Linux 5 (kvm)
CVE-2009-3547	CWE-476	No (on cusp)	7.2	Red Hat Enterprise Linux 3,4,5,MRG (kernel)
CVE-2009-3620	CWE-476	No (on cusp)	7.2	Red Hat Enterprise Linux 4,5,MRG (kernel)
CVE-2009-3726	CWE-476	No (on cusp)	7.2	Red Hat Enterprise Linux 5,MRG (kernel)

[1] NIST NVD rate vulnerabilities as "High" severity if they have a CVSS base score of 7.0-10.0. This ends up excluding flaws in web browsers such as Firefox which can have a maximum CVSS base score of 6.8.

[2] Red Hat Enterprise Linux 4 and 5 were also affected by this vulnerability, but with a lower CVSS base score of 4.3, due to the extra runtime pointer checking.

Created: 16 Feb 2010
Tagged as: cvss, cwe, fedora, metrics, red hat