Check: SRG-APP-999999-MAPP-00069
Mobile Application SRG:
SRG-APP-999999-MAPP-00069
(in version v1 r1)
Title
The mobile application must not call functions vulnerable to buffer overflows. (Cat II impact)
Discussion
Buffer overflow attacks occur when improperly validated input is passed to an application overwriting of memory. Buffer overflow errors stop execution of the application causing a minimum of denial of service and possibly a system call to a command shell giving an attacker access to the underlying operating system. An application that avoids buffer flow situations assures DoD greater availability of the application due to better security against DoS attacks. Please refer to CWEs: 20, 74, 78, 88, 117, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 250, 251, 265, 415, 560, 686, 733, 787, and 805 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.
Check Content
Perform a static program analysis to assess how the application is written to properly manage buffer overflows. The static program analysis should evaluate measures that are in place that size buffers as appropriate for the operation of the application. Also, the analysis should seek the following areas of vulnerability: Cases where input is not checked before being copied into a buffer. - Incorrect use of some of the functions listed in Appendix B of the Application security and development STIG. - Incorrect calculations to determine buffer sizes. - Incorrect calculations to determine array indexes. Furthermore, for IPV6 capable applications, existing libraries must be checked to ensure they are capable of processing the increased size of IPv6 addresses to avoid buffer overflows. See section 5.4 of the Application Security and Development STIG for additional details.
Fix Text
Modify code to remove identified or likely sources of buffer overflow vulnerabilities to include the following: - Use static analysis tools that are known to find this class of vulnerability with few false positives. - Validate all input before use, allowing only known-good input through. - Recheck all calculations to ensure buffer sizes are calculated correctly. - Recheck all array access and flow control calculations. - Use compile-time options that add compiler buffer overrun defenses.
Additional Identifiers
Rule ID: SV-47038r1_rule
Vulnerability ID: V-35751
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |