Check: SRG-APP-999999-MAPP-00068
Mobile Application SRG:
SRG-APP-999999-MAPP-00068
(in version v1 r1)
Title
The mobile application must not be vulnerable to integer arithmetic vulnerabilities. (Cat II impact)
Discussion
Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible value, it could potentially become a very small or negative number. Integer overflows can lead to infinite looping when loop index variables are compromised and cause a denial of service. If the integer is used in data references, the data can become corrupt. Also, using the integer in memory allocation can cause buffer overflows and a denial of service. Integers used in access control mechanisms can potentially trigger buffer overflows, which can be used to execute arbitrary code. Removing integer arithmetic vulnerabilities mitigates the risk of multiple vulnerabilities to include denial of service to the application and the execution of arbitrary code. Please refer to CWEs: 125, 126, 190, 195, 197, 398, 787, and 805 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.
Check Content
If an application does not take any numeric inputs, this IA control is not applicable. Perform a static program analysis and assess the application for code that prevents integer overflow through a number of tests to include the following: - Input negative values for numeric input. - Input border case values (i.e., 0, 7, 8, 254, 255, 16353, and 16354). - Input extremely large string values (> 64k). - Input strings whose lengths equal border cases (32k, 32k-1, 64k, 64k-1). If any of the above tests produce an integer overflow condition, this is a finding. See https://www.owasp.org for additional details.
Fix Text
Modify code to reflect the following measures that will remove integer arithmetic vulnerabilities from the application code: - Use unsigned values whenever possible. - Use only unsigned integers in memory allocation. - Use only unsigned array indexing functions. - Validate user input of numeric value, allowing only known good data to pass. - Compile with the highest warning level possible.
Additional Identifiers
Rule ID: SV-47037r1_rule
Vulnerability ID: V-35750
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |