KEV + CWE = Attack Vector ❤️🔥
The Known Exploitable Vulnerabilities (KEV) Catalog contains an active list of vulnerabilities observed to be (or have been) actively exploited. Maintained by the Cybersecurity and Infrastructure Security Agency (CISA) in the United States, it acts as the authoritative source of vulnerabilities that have been exploited in the wild.
KEV differs from the standard Common Vulnerabilities and Exposures (CVE) program because it focuses on what is actually being exploited, not what could THEORETICALLY be exploited. In other words, the vast majority of CVEs go unexploited, and only a small percentage are actually targeted by attackers.
But why do we care?
As API hackers we can use the data of known exploitable vulnerabilities to see how that maps to the Common Weakness Enumerations (CWE) that matter to us. If you are new to this concept, I recommend you check out my article on leveling up your vuln reports with CWEs.
In the remainder of this article, I will show you how to do it.
Let’s get started…
Mapping KEV to CWE
Mapping CWEs to KEV is actually pretty easy. Since each KEV entry is linked to a CVE, those CVEs were originally assigned CWE mappings by either CVE Numbering Authorities (CNAs) or US National Vulnerability Database (NVD) analysts.
This data was then examined by MITRE and ranked by a calculated Analysis Score, which takes prevalence (# of times a CWE was mapped) and severity (CVSS score) into account.
The result? The official CWE Top 10 KEV Weaknesses list.
CWE Top 10 KEV Weaknesses
Let’s look at the top 10 list and understand what vulnerabilities are actually getting exploited in the wild…
1. Use After Free
CWE-416 | Analysis score: 73.99 | # CVE Mappings in KEV: 44 | Avg. CVSS: 8.54
2. Heap-based Buffer Overflow
CWE-122 | Analysis score: 56.56 | # CVE Mappings in KEV: 32 | Avg. CVSS: 8.79
3. Out-of-bound Write
CWE-787 | Analysis score: 51.96 | # CVE Mappings in KEV: 34 | Avg. CVSS: 8.19
4. Improper Input Validation
CWE-20 | Analysis score: 51.38 | # CVE Mappings in KEV: 33 | Avg. CVSS: 8.27
5. Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-78 | Analysis score: 49.44 | # CVE Mappings in KEV: 25 | Avg. CVSS: 9.36
6. Deserialization of Untrusted Data
CWE-502 | Analysis score: 29.00 | # CVE Mappings in KEV: 16 | Avg. CVSS: 9.06
7. Server-Side Request Forgery (SSRF)
CWE-918 | Analysis score: 27.33 | # CVE Mappings in KEV: 16 | Avg. CVSS: 8.72
8. Access of Resource Using Incompatible Type (‘Type Confusion’)
CWE-843 | Analysis score: 26.24 | # CVE Mappings in KEV: 16 | Avg. CVSS: 8.61
9. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-22 | Analysis score: 19.90 | # CVE Mappings in KEV: 14 | Avg. CVSS: 8.09
10. Missing Authentication for Critical Function
CWE-306 | Analysis score: 12.98 | # CVE Mappings in KEV: 8 | Avg. CVSS: 8.86
MITRE publishes a couple of good visualizations that help to demonstrate all this. The first is a summary mapping categories:
The second is a treemap combining categories with the CWE Analysis Score:
KEV/CWE mapping to OWASP Security Top 10
It’s funny as you slice the data up. You see patterns. And as API hackers, some of them fall into our laps.
When I was recently writing about JSON injection I told you a story about how Samsung Smart Hubs could be exploited with an attack chain that ultimately led to code execution. How? Improper input validation (CWE–20) led to abuse of memory safety issues (CWE-787).
Palo Alto Software recently had vulnerabilities that led to full system compromise in their Expedition software due to command injection (CWE-78).
Side note: It’s quite sad that we see injection being so exploited through the KEV catalog data, and the OWASP API Security Top 10 stripped injection off their list from 2019 in the updated 2023 list.
When I wrote about exploiting SSRF in an API, I had CWE-918 in mind. It was the same when I wrote about How to use OAST to detect vulnerabilities in an API.
See where I am going with this? These mappings matter as they relate to practical attacks during API security testing.
Mapping KEV, CWE, and OWASP Top 10 Together
I could go on and on with examples. Instead, let me map the CWE Top 10 KEV Weaknesses to the OWASP Security Top 10. This will include both the OWASP Top 10 and the OWASP API Security Top 10:
| KEV Top 10 | Corresponding CWE | OWASP Security Top 10 |
| KEV:1 | CWE-416 | API8:2019, A03:2021, A06:2021* |
| KEV:2 | CWE-122 | API8:2019, A03:2021, A06:2021* |
| KEV:3 | CWE-787 | API8:2019, A03:2021, A06:2021* |
| KEV:4 | CWE-20 | API8:2019, A03:2021, API4:2019 |
| KEV:5 | CWE-78 | API8:2019, A03:2021 |
| KEV:6 | CWE-502 | API8:2019, A08:2017, A08:2021 |
| KEV:7 | CWE-918 | API7:2023, A10:2021 |
| KEV:8 | CWE-843 | A04:2021 |
| KEV:9 | CWE-22 | API1:2019, A01:2021, A05:2017 |
| KEV:10 | CWE-306 | API2:2019, API2:2023 |
* The A06:2021 category in OWASP covers Vulnerable and Outdated Components. It’s a catch-all that accounts for components that are old and outdated and that may use languages that are not memory safe. Mapping KEV:1 through KEV:3 to A06:2021 is a stretch.
Improving your methodology with this mapped data
OK. We now have a mapping between KEV, CWE, and OWASP that represents real world exploitation.
What can we do with it?
I first want you to look at a few specific sections in a typical CWE record that are mapped in the CWE TOP 10 KEV Weaknesses list. For this example, I will use CWE-306: Missing Authentication for Critical Function, which maps to KEV:10 …
Likelihood of Exploit
This section will quickly tell you how likely this CWE can be exploited.
Demonstrated Examples
Some CWEs will provide sample code to demonstrate what bad code might look like. This can be useful if you have the ability to do source code analysis against a target API.
Observed Examples
Where possible, a CWE will link to actual CVEs and describe the vulnerability that can be abused.
Detection Methods
Many CWEs will include guidance on how to approach both manual and automated analysis for this potential vulnerability. You can use this to inform your approach when constructing your security testing.
Related Attack Patterns
Many CWEs will include links to any CAPEC entries. This is helpful as you can use that to learn how best to attack a target that may be susceptible to this CWE.
This last one is the REAL gem.
With CWEs clearly defined, you can cross-reference that information with the Common Attack Pattern Enumeration and Classification (CAPEC) database. If this concept is new to you, I highly recommend you check out some of my other articles on the subject:
- Adversarial Thinking for Bug Hunters
- 3 ways to use Common Attack Patterns to abuse an API
- Mapping Attack Patterns to your Threat Model
You will quickly see that the guidance between CWEs and CAPEC help inform your approach to attacking targets using an understanding of the exploitation that real threat actors are using.
In other words….
KEV → CWE → CAPEC = Attack Vector
Conclusion
By aggregating data from vulnerability databases, incident reports, and threat intelligence sources, prioritizing weaknesses based on factors like exploit prevalence, impact severity, and ease of exploitation can benefit us as API hackers.
It helps us prioritize our testing efforts based on an understanding of how real world targets are getting exploited.
CISA and MITRE have already done all the hard work for us by categorizing the top 10 weaknesses we should be aware of, and know how to exploit. Understanding how to test and detect these weaknesses should inform your own hacking methodology, if you take the time to learn, understand, and adapt it.
Hopefully, I’ve given you a glimpse at how to do that.
One last thing…
Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly.
If you haven’t, subscribe at https://apihacker.blog.
The post KEV + CWE = Attack Vector ❤️🔥 appeared first on Dana Epp's Blog.
*** This is a Security Bloggers Network syndicated blog from Dana Epp's Blog authored by Dana Epp. Read the original post at: https://danaepp.com/kev-cwe-attack-vector
