The designer will ensure the application does not contain format string vulnerabilities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16809 | APP3560 | SV-17809r1_rule | DCSQ-1 | High |
| Description |
|---|
| Format string vulnerabilities usually occur when unvalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17807r1_chk ) |
|---|
| Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how format string vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify format string vulnerabilities, it is a finding. Examples of format string vulnerabilities can be obtained from the OWASP website. |
| Fix Text (F-17100r1_fix) |
|---|
| Modify the application to protect against format string attacks. |