The mobile application must not contain format string vulnerabilities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35665	SRG-APP-000251-MAPP-00054	SV-46952r1_rule		Medium

Description
Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. If the application code does not contain format string vulnerabilities, then the risk of buffer overflows and other software exploits is significantly mitigated. Please refer to CWEs: 20, 74, 78, 88, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 251, 415, 560, 686, 733, 787, and 805 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

Description

Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. If the application code does not contain format string vulnerabilities, then the risk of buffer overflows and other software exploits is significantly mitigated. Please refer to CWEs: 20, 74, 78, 88, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 251, 415, 560, 686, 733, 787, and 805 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44007r1_chk )
Review the application documentation for static program analysis or scan results from the entire application. This can be provided as results from an automated static program analysis or a vulnerability scanning tool. If the documentation review is inconclusive or testing results are not available, perform a static program analysis to assess if code is present that manages the vulnerabilities associated with input string formatting. If the documentation review and/or static program analysis reveal that the application does not validate input string formats, this is a finding. Examples of format string vulnerabilities can be seen on the OWASP website. https://www.owasp.org

Check Text ( C-44007r1_chk )

Review the application documentation for static program analysis or scan results from the entire application. This can be provided as results from an automated static program analysis or a vulnerability scanning tool. If the documentation review is inconclusive or testing results are not available, perform a static program analysis to assess if code is present that manages the vulnerabilities associated with input string formatting. If the documentation review and/or static program analysis reveal that the application does not validate input string formats, this is a finding. Examples of format string vulnerabilities can be seen on the OWASP website. https://www.owasp.org

Fix Text (F-40207r1_fix)
Remove format string vulnerabilities from the code.