Common Weakness Enumeration

CWE Glossary Definition

News & Events - 2020 Archive

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

CWE Version 4.3 Now Available

December 10, 2020 | Share this article

CWE Version 4.3 has been posted on the CWE List page to add 20 new Hardware Design Weaknesses; 6 new Software Development Weaknesses submitted by community members; and 1 new software view, CWE-1340: CISQ Data Protection Measures; among other updates. A detailed report is available that lists specific changes between Version 4.2 and Version 4.3.

Main Changes

CWE 4.3 includes the following updates:

1) Twenty (20) new hardware weaknesses:

• CWE-1310: Missing Ability to Patch ROM Code
• CWE-1311: Improper Translation of Security Attributes by Fabric Bridge
• CWE-1312: Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
• CWE-1313: Hardware Allows Activation of Test or Debug Logic at Runtime Causing Interference with Intended Operations
• CWE-1314: Missing Write Protection for Parametric Data Values
• CWE-1315: Improper Setting of Bus Controlling Capability in Fabric End-point
• CWE-1316: Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
• CWE-1317: Missing Security Checks in Fabric Bridge
• CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI)
• CWE-1320: Improper Protection for Out of Bounds Signal Level Alerts
• CWE-1323: Improper Management of Sensitive Trace Data
• CWE-1324: Sensitive Information Accessible by Physical Probing of JTAG Interface
• CWE-1326: Missing Immutable Root of Trust in Hardware
• CWE-1328: Security Version Number Mutable to Older Versions
• CWE-1329: Reliance on Component That is Not Updateable
• CWE-1330: Remanent Data Readable after Memory Erase
• CWE-1331: Improper Isolation of Shared Resources in Network On Chip
• CWE-1332: Improper Protection Against Fault Injection Allows Instruction Skipping
• CWE-1334: Unauthorized Error Injection Can Degrade Hardware Redundancy
• CWE-1338: Improper Protections Against Hardware Overheating

2) Six (6) new software weaknesses:

• CWE-1318: Missing Support for Security Features in On-Chip Fabrics or Buses
• CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
• CWE-1322: Use of Blocking Code in Single-threaded, Non-blocking Context
• CWE-1325: Improperly Controlled Sequential Memory Allocation
• CWE-1327: Binding to an Unrestricted IP Address
• CWE-1329: Reliance on Component That is Not Updateable

3) Add 1 new software view: CWE-1340: CISQ Data Protection Measures.

3) Updated 111 existing entries to add relationships for the 26 new weaknesses added in CWE Version 4.2.

Summary:

There are 916 weaknesses and a total of 1335 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.2_v4.3.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

Minutes from CWE/CAPEC Board Teleconference Meeting on November 17 Now Available

November 30, 2020 | Share this article

The CWE/CAPEC Board held a teleconference meeting on November 17, 2020. Read the meeting minutes.

Use of CWE for Hardware Encouraged in “Establishing A Special Interest Group On Common Hardware Weaknesses” Article on Semiconductor Engineering

November 18, 2020 | Share this article

Use of CWE for hardware is encouraged in a November 18, 2020 article entitled “Establishing A Special Interest Group On Common Hardware Weaknesses” on Semiconductor Engineering. The author first discusses the creation of the CWE/CAPEC Board before advocating the importance of the Hardware CWE Special Interest Group (HW CWE SIG): “The HW CWE SIG has been established as a forum for researchers and representatives from organizations operating in hardware design, manufacturing, and security to interact with a common goal. The goal is to share opinions and expertise and leverage each other’s experiences in supporting the continued growth and adoption of CWE as a common language for defining hardware security weaknesses. With over 40 representatives across both commercial and government including NVIDIA, Lattice Semiconductor, Accellera, Intel, Battelle, Bosch, BAE, Synopsys and Tortuga Logic to name a few, the HW CWE SIG is off to a brilliant start.” Other hardware-related efforts are also discussed.

CWE Program Establishes Hardware CWE Special Interest Group (HW CWE SIG)

November 18, 2020 | Share this article

The CWE Program has established a Hardware CWE Special Interest Group (HW CWE SIG) to serve as a forum for researchers and representatives from organizations operating in hardware design, manufacturing, and security to interact, share opinions and expertise, and leverage each other’s experiences in supporting the continued growth and adoption of CWE as a common language for defining hardware security weaknesses.

The objective of the HW CWE SIG is to establish a stakeholder community for discussing HW CWE content and explore further cross-organizational collaboration opportunities. Members will work with each other through open and collaborative discussions to provide critical input regarding domain coverage, coverage goals, and content hierarchical structure.

Who Should Attend?

Hardware researchers, designers, security professionals, and companies representing OEMs/system integrators and tools/infrastructure vendors. Managers are also welcome, although it is preferred that they are accompanied by technical staff.

Meetings

Meetings are tentatively set to occur on the 4th Friday of each month from 12:30 – 1:30 PM EST. Meetings will be held on Microsoft Teams. As the SIG grows, the number of representatives from a single organization may be capped.

Typical agenda:

• Review existing HW CWE content
• New HW CWE content suggestions
• Identifying HW CWEs with analysis tools
• Explore potential collaborative efforts in between meetings

How to Join

To participate, please contact us to sign up for the next meeting.

CWE Blog Article Focuses on Decreasing Costly Cyber Risk by Communicating About and Mitigating Weaknesses

November 17, 2020 | Share this article

The CWE Team has posted a “CWE-23: Starbucks misses a weakness, almost loses over 50% of their 2019 profit ($15B)” blog article about decreasing potentially costly cyber risk by communicating about, and mitigating, weaknesses.

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE Blog Article Focuses on Why “Fixing Vulnerabilities Costs 100x More If You Don’t Understand the Weakness”

November 12, 2020 | Share this article

The CWE Team has posted a “Fixing Vulnerabilities Costs 100x More If You Don’t Understand the Weakness” blog article about the value of including weakness information in vulnerability descriptions.

Read the complete article on the CWE/CAPEC Blog on Medium.

CWE Blog Article Focuses on How Data Was Analyzed for the “2020 CWE Top 25”

October 29, 2020 | Share this article

The CWE Team has posted a “2020 CWE Top 25 Analysis” blog article that provides insights into the data analysis activities associated with calculating the 2020 CWE Top 25 list.

The intent of the article is to supplement the methodology previously published on the 2020 CWE Top 25 page on the CWE website, and to provide further transparency into the technical process behind calculating the final list.

Read the complete article on the CWE/CAPEC Blog on Medium.

Use of CWE for Hardware Encouraged in Article about Capture the Flag (CTF) Competitions on EE Times

September 30, 2020 | Share this article

Use of CWE for hardware is encouraged in a September 29, 2020 article entitled “Capture-the-Flag Competitions Need to Include Hardware” on EE Times.

CWE is first mentioned in a section entitled “Focusing on hardware security” in which the author states that the industry needs to foster greater awareness about security weaknesses commonly associated with hardware designs in order to reduce them. CWE is mentioned as follows: “One excellent example of this type of industry effort is the community-driven Hardware Common Weakness Enumeration (CWE), maintained by MITRE. With the latest release, CWE 4.2, the industry now has access to a catalogue of 75 commonly overlooked hardware weakness types organized under 12 categories. Each hardware weakness type illustrates a common security concern with one or more examples, followed by strategies on how to identify and mitigate the concern. The launch of an industry-wide, standardized system of enumeration helps pave the way for better hardware security, but there is so much more we can do.”

The author then describes how including CWE hardware weaknesses in CTF competitions can “help tip the scales when it comes to building industry awareness, and creating a mindset and skillset about hardware security weaknesses.”

After providing an example of how CWEs for hardware can be incorporated into a CTF, the author also mentions CWE in the conclusion of the article: “Establishing better hardware security practices and capabilities is an imperative in today’s threat landscape ... The inherent challenges associated with building robust, secure hardware demand more focus and stronger collaboration from parties throughout the industry and academia. The Hardware CWE serves as a community-driven primer that facilitates systematic analysis of hardware vulnerability patterns, detection techniques and mitigation approaches ... Through a fun and educational medium, [CTF] participants experience firsthand the key challenges faced by the hardware design community and walk away not only with new skills, but inspiration to take part in efforts to help the broader community.”

2020 “CWE Top 25” Receives Extensive News Media Coverage

September 30, 2020 | Share this article

The recently released “2020 CWE Top 25 Most Dangerous Software Errors” list received extensive global media coverage, and feedback from the community. We thank the community for all your feedback regarding the new CWE Top 25.

Below is a partial list of articles from around the world about the 2020 CWE Top 25:

Please send any feedback about the new CWE Top 25 to us on the CWE Research email list, CWE page on LinkedIn, @CWECAPEC on Twitter, or contact us directly.

Minutes from CWE/CAPEC Board Teleconference Meeting on September 14 Now Available

September 30, 2020 | Share this article

The CWE/CAPEC Board held a teleconference meeting on September 14, 2020. Read the meeting minutes.

CWE/CAPEC Has a New Blog on Medium!

September 1, 2020 | Share this article

The CWE/CAPEC Program has a new CWE/CAPEC Blog on Medium! The purpose of the new blog is to help strengthen the community around CWE; explain some of the differences between CWE, CAPEC, CVE, ATT&CK, and other cyber observables; and by leveraging real-word cybersecurity events to show how CWE can be used to prevent future vulnerabilities.

Our blog posts to-date:

We encourage you to engage with us on these and future posts. Please contact us with any suggestions for future blog topics. We look forward to hearing from you!

2020 “CWE Top 25” Now Available!

August 20, 2020 | Share this article

The official version of the “2020 CWE Top 25 Most Dangerous Software Weaknesses,” a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software, is now available on the CWE website.

These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can be help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

What’s Changed

The major difference between the 2019 and 2020 CWE Top 25 lists is the increased transition to more specific weaknesses as opposed to abstract class-level weaknesses. While these class-level weaknesses still exist in the list, they have moved down in the ranking. This movement is expected to continue in future years as the community improves its mapping to more specific weaknesses. For example, class-level weaknesses CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-20: Improper Input Validation, and CWE-200: Exposure of Sensitive Information to an Unauthorized Actor each move down a couple of spots; while more specific weaknesses like CWE-79: Improper Neutralization of Input During Web Page Generation, CWE-787: Out-of-bounds Write and CWE-125: Out-of-bounds Read moved up to take their place. This change, and subsequent future movement, will greatly benefit users that are attempting to understand the actual issues that threaten today’s systems.

Leveraging Real-World Data

To create the 2020 list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents.

The 2020 CWE Top 25 leverages NVD data from the years 2018 and 2019, which consists of approximately 27,000 CVEs that are associated with a weakness. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen.

For more detailed information including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page.

Feedback Welcome

Please send any feedback or questions to the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or contact us directly.

CWE Version 4.2 Now Available

August 20, 2020 | Share this article

CWE Version 4.2 has been posted on the CWE List page to add support for the recently released “2020 CWE Top 25 Most Dangerous Software Weaknesses” list, among other updates.

A detailed report is available that lists specific changes between Version 4.1 and Version 4.2.

Main Changes:

CWE 4.2 includes the addition of 2 new views, one to support the release of the 2020 CWE Top 25 and the other for the Consortium for Information & Software Quality (CISQ) Automated Source Code Quality Measures released in 2020; 1 new software weakness; and 15 new hardware weaknesses. In addition, there were 259 changes to relationships throughout the corpus. There were no schema changes.

Two new views added:

• CWE-1350: Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
• CWE-1305: CISQ Quality Measures (2020)

One new software weakness added:

• CWE-1293: Missing Source Correlation of Multiple Independent Data

Fifteen new hardware weaknesses added:

• CWE-1255: Comparison Logic is Vulnerable to Power Side-Channel Attacks
• CWE-1290: Incorrect Decoding of Security Identifiers
• CWE-1291: Public Key Re-Use for Signing both Debug and Production Code
• CWE-1292: Incorrect Conversion of Security Identifiers
• CWE-1294: Security Identifier Issues
• CWE-1295: Debug Messages Revealing Unnecessary Information
• CWE-1296: Incorrect Chaining or Granularity of Debug Components
• CWE-1297: Unprotected Confidential Information on Device is Accessible by Outsourced Semiconductor Assembly and Test (OSAT) Vendors
• CWE-1298: Hardware Logic Contains Race Conditions
• CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface
• CWE-1300: Improper Protection Against Physical Side Channels
• CWE-1301: Insufficient or Incomplete Data Removal within Hardware Component
• CWE-1302: Missing Security Identifier
• CWE-1303: Non-Transparent Sharing of Microarchitectural Resources
• CWE-1304: Loading Untrusted Hardware Configuration State During a Power Save/Restore Operation

Summary:

There are 891 weaknesses and a total of 1309 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.1_v4.2.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

Minutes from CWE/CAPEC Board Teleconference Meeting on August 4 & 6 Now Available

August 17, 2020 | Share this article

The CWE/CAPEC Board held a teleconference meeting on August 4 & 6, 2020. Read the meeting minutes.

New CWE/CAPEC Board Includes Representatives from IT and Cybersecurity Communities

July 20, 2020 | Share this article

CWE has established a new CWE/CAPEC Board comprised of representatives from commercial hardware and software vendors, academia, government departments and agencies, and other prominent security experts that will set and promote the goals and objectives of the Common Weakness Enumeration (CWE™)/Common Attack Pattern Enumeration and Classification (CAPEC™) Program.

Members of the CWE/CAPEC Board will work with each other and the community to advise and advocate for the CWE/CAPEC Program. Through open and collaborative discussions, board members will provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. All Board Meetings and Board Email List Discussions will be archived for the community.

The newly established Board includes representatives from the following organizations: Cloud Security Alliance, Consortium for IT Software Quality (CISQ), Cybersecurity and Infrastructure Security Agency (CISA), GrammaTech, Intel, Micro Focus, MITRE (CWE/CAPEC Board Moderator), National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP), SANS, Synopsys, Tortuga Logic, Università degli Studi di Milano - Bicocca, and Veracode.

Visit the CWE/CAPEC Board page to learn more and/or to view the complete list of members.

CWE Version 4.1 Now Available

June 25, 2020 | Share this article

CWE Version 4.1 has been posted on the CWE List page to add 27 new Hardware Design Weaknesses and 8 new Software Development Weaknesses, among other updates. A detailed report is available that lists specific changes between Version 4.0 and Version 4.1.

The schema was updated from v6.2 to v6.3 to ensure that some XML elements are always provided or non-empty, for content history and relationships. View the schema difference report for details.

Main Changes

CWE 4.1 includes the following updates:

1) Twenty-seven (27) new hardware weaknesses:

• CWE-1254: Incorrect Comparison Logic Granularity
• CWE-1256: Hardware Features Enable Physical Attacks from Software
• CWE-1257: Improper Access Control Applied to Mirrored or Aliased Memory Regions
• CWE-1258: Sensitive Information Uncleared During Debug Flows
• CWE-1259: Improper Protection of Security Identifiers
• CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges
• CWE-1261: Improper Handling of Single Event Upsets
• CWE-1262: Register Interface Allows Software Access to Sensitive Data or Security Settings
• CWE-1263: Insufficient Physical Protection Mechanism
• CWE-1264: Hardware Logic with Insecure De-Synchronization between Control and Data Channels
• CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device
• CWE-1267: Policy Uses Obsolete Encoding
• CWE-1268: Control Policy in Hardware Design Contains Agents not in Write Policy
• CWE-1269: Product Released in Non-Release Configuration
• CWE-1270: Incorrect Generation of Security Identifiers
• CWE-1271: Missing Known Value on Reset for Registers Holding Security Settings
• CWE-1272: Debug/Power State Transitions Leak Information
• CWE-1273: Device Unlock Credential Sharing
• CWE-1274: Insufficient Protections on the Volatile Memory Containing Boot Code
• CWE-1276: Hardware Block Incorrectly Connected to Larger System
• CWE-1277: Firmware Not Updateable
• CWE-1278: Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
• CWE-1279: Cryptographic Primitives used without Successful Self-Test
• CWE-1280: Access Control Check Implemented After Asset is Accessed
• CWE-1281: Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)
• CWE-1282: Immutable Data Stored in Writable Memory
• CWE-1283: Mutable Attestation or Measurement Reporting Data

2) Two (2) new software weaknesses:

• CWE-1265: Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
• CWE-1275: Sensitive Cookie with Improper “SameSite” Attribute

3) Refactored CWE-20: Improper Input Validation to add six (6) new children for different kinds of validation characteristics:

• CWE-1284: Improper Validation of Specified Quantity in Input
• CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input
• CWE-1286: Improper Validation of Syntactic Correctness of Input
• CWE-1287: Improper Validation of Specified Type of Input
• CWE-1288: Improper Validation of Consistency within Input
• CWE-1289: Improper Validation of Unsafe Equivalence in Input

The Description for CWE-20 was also updated to clarify that input validation is just one technique used to ensure that inputs are shown in CWE-707: Improper Neutralization.

4) Updated 214 existing entries to add relationships for the 35 new weaknesses added in CWE Version 4.1.

Summary

There are 875 weaknesses and a total of 1287 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.0_v4.1.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

“Designers vs. Hackers: How Hardware Common Weakness Enumeration Tips the Scale” Article on EE Times

June 10, 2020 | Share this article

CWE for hardware is the main topic of a June 9, 2020 article entitled “Designers vs. Hackers: How Hardware Common Weakness Enumeration Tips the Scale” on EE Times.

In the article, the author discusses how Common Weakness Enumeration (CWE™) and Common Vulnerabilities and Exposures (CVE®) “have served as leading resources for tracking software weaknesses by category and known vulnerability instances [and how] software architects and developers use these tools to help ensure that they avoid building security issues into their software products, while researchers and vendors seek to detect and append newfound vulnerabilities to build an ever-growing collective reference for rooting out software security issues.” The author says hardware industry must do the same since in recent years attackers are now focusing on the hardware layer as well.

The author describes the problem in detail and identifies CWE for hardware as a community-developed solution: “The industry needs standardized, open access to this level of insight into common hardware security issues. We need a common language that can be used by researchers and vendors to share key learnings and best practices with one another effectively” and with CWE Version 4.0 “we are now one step closer to the holy grail” as the “new CWE Hardware Design View already includes 30 hardware issues that are often overlooked by hardware designers.”

In concluding the article, the author discusses the benefits of a “robust hardware CWE” for architects, designers, verification engineers, security researchers, and the entire hardware industry overall. The author states: “The new CWE 4.0 is a fantastic initial step upon which the industry can rally behind and build upon — enabling practitioners to speak the same language as they continue to improve the security robustness of hardware products that people around the world rely upon every day.”

“Most Common Open Source CWEs” Included in Article on Security Boulevard

June 10, 2020 | Share this article

CWE is included in a June 4, 2020 article entitled “June 2020 Open Source Security Vulnerabilities Snapshot” on Security Boulevard that discusses 500 new open source vulnerabilities published by WhiteSource database in May 2020.

CWE is mentioned in section entitled “Most Common Open Source CWEs in May” in which the author states: “The three most common CWEs in May remain CWE-79 (XSS), CWE-20 (Improper Input Validation), CWE-200 (Information Exposure), and XSS vulnerabilities have quite the lead.” Of these, the author focuses on CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), which “has been the most common vulnerability type over the past two years and has been one of the three most common CWEs for several years prior.” A chart of the top five most common weaknesses for May is also provided that cites two additional weaknesses, “CWE-125 (Out of Bounds Read)” and “CWE-416 (Use After Free)”.

CWE References Added to Red Hat’s GNU Compiler Collection

June 10, 2020 | Share this article

The inclusion of CWE references in Red Hat, Inc.’s GNU Compiler Collection (GCC) was announced in a March 26, 2020 article entitled “Static analysis in GCC 10” on the Red Hat Developer Blog, as follows: “GCC has learned some new tricks; first, the ability for diagnostics to have Common Weakness Enumeration (CWE) identifiers. In this example, the double-free diagnostic is tagged with CWE-415. This tag hopefully makes the output more clear, improves precision, and gives you something simple to type into search engines. So far, only diagnostics from -fanalyzer have been tagged with CWE weakness identifiers. If you’re using GCC 10 with a suitable terminal (e.g. recent gnome-terminal), the CWE identifier is a clickable hyperlink, taking you to a description of the problem.”

Leveraging the CWE Top 25 Is Main Topic of Article on Infosecurity Magazine

May 8, 2020 | Share this article

How to leverage the 2019 release of the CWE Top 25 Most Dangerous Software Errors is the main topic of a May 8, 2020 article entitled “How Useful Is MITRE's '25 Most Dangerous Software Errors' List?” on Infosecurity Magazine.

The author begins the article by describing how the new release of the CWE Top 25 is significantly different from previous versions, most importantly by using real-world data from Common Vulnerabilities and Exposures (CVE®) and the National Institute of Standards and Technology’s National Vulnerability Database (NVD) and the impact that the CWE Top 25 can have on software development and procurement: “Software vendors or specific programs that have a lot of CWE weaknesses near the top of the list tell a story of its own. For instance, over time, should these weaknesses persist, software buyers can form their own judgments about the security design lifecycle and associated risks that they present.”

In a discussion about attack sequences, the author describes how the CWE Top 25 can offer a different approach regarding addressing the vulnerabilities identified by CVE Entries and that by ”Aligning them with the CWE ranking, which also considers criticality and causality, reveals deeper patterns that can help software companies prioritize their security development lifecycle going forward.” Also discussed is a real-world example of attackers using software vulnerabilities and weaknesses for the “EternalBlue” MS17-010 exploit that “leveraged three different software security issues to accomplish remote code execution.” The author states: “What’s instructive is that the attackers needed each component for the others to work effectively, or at all. This tells defenders something very important – while it’s important to patch all of the software security issues in a timely manner, with modern attacks, even if one of the related software security issues is patched, it can often be possible to disrupt the attack involving multiple vulnerabilities tied to different programming weaknesses.”

Regarding how to leverage the 2019 CWE Top 25, the author notes that the CWE Top 25 was “never intended to be enough on its own: it must always be used as a resource rather than a prescription … In a sense it operates as a mirror into the world of cybercriminal development which locks into common software problems, and gives defenders important clues to counter the problems. These should be figured into the context of what's critical for a given organization or environment and the software components used, so security teams stand the best chance at mitigating the biggest threats to their businesses.”

Read the entire article at https://www.infosecurity-magazine.com/opinions/mitre-software-errors/.

“Hardware CWEs…This will Change Everything” Article on Embedded Computing Design

April 17, 2020 | Share this article

CWE for hardware weaknesses is the main topic of an April 13, 2020 article entitled “Hardware CWEs…This will Change Everything” on Embedded Computing Design, in which the author describes the necessity for hardware security as follows: “[Ensuring] hardware devices do not introduce a cybersecurity vulnerability is paramount to the security of the entire system. Failure to address security can be a costly mistake, including the impact they may have on consumer confidence, personal privacy, and brand reputation. The existence and exploitation of hardware vulnerabilities can also increase time-to-market; reduce vendor trust; and lead to costly lawsuits, chip recalls, or even loss of life.”

In the article, the author explains the history of CWE, how it’s connected to the Common Vulnerabilities and Exposures (CVE®) program, the role of MITRE Corporation and the Homeland Security Systems Engineering and Development Institute (HSSEDI) FFRDC, why and how hardware weaknesses were added to the CWE List in February 2020, and the ways in which the inclusion of hardware weaknesses in CWE will impact hardware security moving forward. HSSEDI released CWE 4.0 in partnership with Cybersecurity and Infrastructure Security Agency (CISA), which sponsors both CVE and CWE.

The author concludes the article as follows: “[Cybersecurity] at the hardware level is a relatively new phenomenon … [however, with the availability of] … CWE version 4.0, design teams can now add and implement security specifications by leveraging the entire industry’s expertise across the United States government, scientific research, academia, commercial solutions companies, and other mediums. The standardization of common weaknesses also opens the door to automation around specification, design and verification of the weakness. In the future I expect to see fully integrated flows based on the list allowing all design teams to detect and prevent the ever-growing list of CWEs.”

CWE 4.0 Is Main Topic of Article on The State of Security

March 11, 2020 | Share this article

CWE 4.0 is the main topic of a March 11, 2020 article entitled “MITRE Releases an Update to The Common Weakness Enumeration (CWE)” on The State of Security blog.

The author begins the article by stating the value of CWE: “MITRE has been doing exceptional work in advancing cybersecurity as a public good, and it is an excellent resource for security professionals. Possibly best known for their ATT&CK Framework, a rich source of adversarial tactics and techniques and their mitigations, MITRE is also known for another resource: the Common Weakness Enumeration (CWE). The CWE is a community initiative sponsored by the Cybersecurity and Infrastructure Security Agency (CISA). The community contributing to this repository is quite broad and diverse. It includes large corporations, universities, individual researchers, and government agencies … CWE is useful for pro-actively managing risk. Since this list shines a spotlight on common weaknesses, it can be a valuable tool for a vulnerability management program and a useful check against potential points of compromise within an enterprise. The CWE allows a user to search the list by software and hardware weaknesses as well as several other useful groupings, allowing for detailed drill-down and analysis for risk analysts.”

In the article, the author explains how the release of CWE 4.0 added hardware weaknesses to the CWE List in February 2020, and that with this addition CWE now “offers a resource for developers, designers, security analysts, and researchers to find weaknesses and develop mitigations before those weaknesses are exploited. Unlike some resources that tend to have IT or InfoSec engineers as a primary audience, the CWE places developers, designers, and architects front-and-center in the process of defending the enterprise.”

CISA Announces CWE Version 4.0

February 26, 2020 | Share this article

Cybersecurity and Infrastructure Security Agency (CISA), the sponsor of CWE, issued the following news release on February 26, 2020 to announce CWE Version 4.0 to the community:

Read the release on the CISA website: https://www.us-cert.gov/ncas/current-activity/2020/02/26/new-cwe-list-common-security-weaknesses-0.

CWE Version 4.0 Now Available

February 24, 2020 | Share this article

CWE Version 4.0 has been posted on the CWE List page to add support for Hardware Design Weaknesses, among other updates. A detailed report is available that lists specific changes between Version 3.4.1 and Version 4.0.

Main Changes

CWE 4.0 includes two new views: (1) Hardware Design, which organizes weaknesses around concepts that are frequently used or encountered in hardware design; and (2) Software Development, which was created by combining content from the previous Architecture Concepts and Development Concepts views. The schema was updated from v6.1 to v6.2 (see Release of CWE 4.0 Includes Changes to CWE Schema for details).

In addition, a new “Filter View” (beta) was added for viewing CWE classification trees (in addition to expanding and collapsing), which allows you to specifically refine exactly which content you want to see when viewing a particular CWE. Filter View (beta) is currently available on the Software Development, Hardware Design, and Research Concepts views.

Summary

There are 839 weaknesses and a total of 1251 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.4.1_v4.0.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns.

Release of CWE 4.0 Includes Changes to CWE Schema

February 24, 2020 | Share this article

The release of CWE Version 4.0 includes minor changes to the CWE Schema, which was updated from v6.1 to v6.2.

The main changes for the CWE Schema Version 6.2 include:

• Several documentation changes to reflect CWE’s expansion into hardware related issues.
• Removal of the Paradigm element.
• Addition of the term “Pillar” to the AbstractionEnumeration. The term “Pillar” has actually been a part of CWE for a while and is defined in the glossary, but was not previously part of the schema. This will allow CWE to formalize its use, which you will notice in Version 4.0 at the top level of the Research Concepts view.
• Addition of “Verilog"” and “VHDL” to the LanguageNameEnumeration.
• Slight modification to some of the values within the StakeholderEnumeration along with the addition of “Hardware Designers”.
• Complete refactor of the TechnologyClassEnumeration and TechnologyNameEnumeration to reflect the addition of hardware related terms.

See a detailed list of schema changes at https://cwe.mitre.org/data/reports/diff_reports/xsd_v6.1_v6.2.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please contact us with any comments or concerns.

CWE for Hardware Continues to Gain Momentum

January 23, 2020 | Share this article

CWE is mentioned throughout a January 13, 2020 article entitled “A case for establishing a common weakness enumeration for hardware security” on Help Net Security.

In the article, the authors state: “As attacks [on modern computer systems] become more pervasive and sophisticated, they are often progressing past the software layer and “compromising hardware. [Today], implementing hardware-based security is widely recognized as a best practice. However, hardware-based security has its own set of challenges when not designed, implemented or verified properly … it’s evident that the industry needs a better and more in-depth understanding of the common hardware security vulnerabilities taxonomy, including information on how these vulnerabilities get introduced into products, how they can be exploited, their associated risks, as well as best practices to prevent and identify them early on in the product development lifecycle.”

CWE is first mentioned when the authors advocate adding hardware weaknesses to the CWE List: “With the growing awareness of hardware vulnerabilities, the CWE could be enhanced to include relevant entry points, common consequences, examples, countermeasures and detection methods from the specific hardware perspective. Furthermore, there are hardware-centric weaknesses that are related to the physical properties of hardware devices (e.g., temperature, voltage glitches, current, wear out, interference, and more) [that should also be included in CWE].”

CWE supports this request as we have been collaborating with the CWE community for some time to add hardware weaknesses to CWE (see “CWE List Expanding to Include Hardware Weaknesses”). In late February 2020, CWE Version 4.0 will be released to add hardware weakness to the CWE List, among other updates.

CWE Included in Hardware Assurance and Weakness Collaboration and Sharing Discussion

January 23, 2020 | Share this article

CWE and CAPEC are included in the Trusted and Assured MicroElectronics’ (TAME) “TAME Working Groups Report December 2019.” TAME provides “a bi-annual platform to researchers in academia, and practitioners in industry and government to discuss innovative solutions in the domain of trusted microelectronics in today’s globalized and complex supply chain, discuss grand challenges and identify collaboration opportunities.”

CWE and CAPEC, as well as CVE are included in “Chapter 1: Hardware Assurance and Weakness Collaboration and Sharing (HAWCS).” The report defines these efforts and explains the problem each solves, as well as how they are interrelated: “Specific vulnerabilities [on the Common Vulnerabilities and Exposures (CVE®) List] are concrete examples of items (hopefully) described in the catalog of Common Weakness Enumeration (CWE) items and attackable by the attack patterns captured in the Common Attack Pattern Enumeration and Classification (CAPEC) collection. By linking a public vulnerability in a specific product to the weakness and attack pattern collections, organizations can leverage those collections and the information in them in their assessment and investigation into newly discovered examples of vulnerabilities and also offer opportunities to examine their own code collections for the same type of vulnerability.”

The main focus of the chapter is how the lessons learned from CWE, CAPEC, CVE, and related efforts (e.g., NVD, CVSS, CWSS, etc.) can be applied to developing similar capabilities for hardware vulnerabilities and weaknesses. Towards that end, the CWE Program is helping to achieve these objectives for a hardware weakness taxonomy by adding hardware weaknesses to the CWE List with the release of CWE 4.0 in late February 2020.

Updates for CWE Version 4.0 Now Underway

January 10, 2020 | Share this article

The CWE Team is currently working towards the generation and publication of CWE Version 4.0, which will be released towards the end of February.

CWE Version 4.0 will include several major changes from previous versions, including restructuring content to combine the Architecture and Development views, and the addition of a new View focused on Hardware Design (read initial announcement).

Hardware Design Weaknesses to Be Included in CWE 4.0

For the past several months, the CWE Team has been working alongside community stakeholders to enumerate Hardware Design Weaknesses and incorporate them into the CWE List for CWE Version 4.0. This new view will assist hardware designers to better understand potential mistakes that can be made in specific areas of their IP design, as well as assist educators teach future professionals about the types of mistakes that are commonly made in hardware design.

As a preview, the new Hardware Design view high-level categories are expected to include:

• Manufacturing and Life Cycle Management Concerns
• Security Flow Issues
• Integration Issues
• Privilege Separation & Access Control Issues
• General Circuit & Logic Design Concerns
• Core and Compute Issues
• Memory and Storage Issues
• Interconnect Problems
• Peripherals and Interface/IO Problems
• Security Primitives and Cryptography Issues
• Power, Clock, and Reset Concerns
• Debug and Test Problems
• Cross-cutting Problems

Feedback and Content Submissions Welcome

As always, we encourage any feedback, especially if you have ideas for specific hardware weaknesses to include in these new categories. To share your suggestions, please use our new CWE Content Submission Form.

Thank you for your continued support of the CWE Project and we look forward to hearing from you.

“CWE Content Submission Form” Now Available

January 10, 2020 | Share this article

A CWE Content Submission Form for submitting proposed new weaknesses, modifications to existing weaknesses, etc. to the CWE Team for possible inclusion in future releases of the CWE List is now available on the CWE website. Guidelines for using the new submission form are also available.

The CWE Team recommends using the form in order to ensure all relevant information is included so that we may review and respond to your submission in a timely manner. Please contact us with any comments or concerns.