The mobile application must not be vulnerable to command injection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35666	SRG-APP-000251-MAPP-00055	SV-46953r1_rule		Medium

Description
Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. If the application code does not contain format string vulnerabilities, then the risk of buffer overflows and other software exploits is significantly mitigated. Please refer to CWEs: 20, 74, 78, 88, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 251, 415, 560, 686, 733, 787, and 805 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

Description

Format string vulnerabilities usually occur when invalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. If the application code does not contain format string vulnerabilities, then the risk of buffer overflows and other software exploits is significantly mitigated. Please refer to CWEs: 20, 74, 78, 88, 119, 120, 125, 129, 131, 134, 135, 170, 170, 176, 193, 195, 242, 249, 251, 415, 560, 686, 733, 787, and 805 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44009r1_chk )
For mobile applications that run on a mobile operating system that does not support command shells, then the mobile application is compliant. Perform a documentation review and assess if the application was tested for command injection vulnerabilities and if results from a static program analysis or a vulnerability scanning tool are included. If the documentation review is unavailable or inconclusive, perform a dynamic program analysis by injecting commands through an input and assess the results. If the documentation review reveals that no test results are available for command injection vulnerabilities, or if the dynamic program analysis reveals the code cannot identify command injection vulnerabilities, this is a finding. Examples of format string vulnerabilities can be seen on the OWASP website. https://www.owasp.org

Check Text ( C-44009r1_chk )

For mobile applications that run on a mobile operating system that does not support command shells, then the mobile application is compliant. Perform a documentation review and assess if the application was tested for command injection vulnerabilities and if results from a static program analysis or a vulnerability scanning tool are included. If the documentation review is unavailable or inconclusive, perform a dynamic program analysis by injecting commands through an input and assess the results. If the documentation review reveals that no test results are available for command injection vulnerabilities, or if the dynamic program analysis reveals the code cannot identify command injection vulnerabilities, this is a finding. Examples of format string vulnerabilities can be seen on the OWASP website. https://www.owasp.org

Fix Text (F-40209r1_fix)
Modify the code to remove command injection attack vulnerabilities.