Title

The mobile application must not contain format string vulnerabilities. (Cat II impact)

Discussion

Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. If the application code does not contain format string vulnerabilities, then the risk of buffer overflows and other software exploits is significantly mitigated. Please refer to CWEs: 20, 74, 78, 88, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 251, 415, 560, 686, 733, 787, and 805 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

Check Content

Review the application documentation for static program analysis or scan results from the entire application. This can be provided as results from an automated static program analysis or a vulnerability scanning tool. If the documentation review is inconclusive or testing results are not available, perform a static program analysis to assess if code is present that manages the vulnerabilities associated with input string formatting. If the documentation review and/or static program analysis reveal that the application does not validate input string formats, this is a finding. Examples of format string vulnerabilities can be seen on the OWASP website. https://www.owasp.org

Fix Text

Remove format string vulnerabilities from the code.

Additional Identifiers

Rule ID: SV-46952r1_rule

Vulnerability ID: V-35665

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.