The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6165	APP3590	SV-6165r2_rule	DCSQ-1	High

Description
Buffer overflow attacks occur when improperly validated input is passed to an application overwriting of memory. Usually, buffer overflow errors stop execution of the application causing a minimum of denial of service and possibly a system call to a command shell giving the attacker access to the underlying operating system.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3049r3_chk )
Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details on code review and tools. If the results are provided from a manual code review, the results will need to describe how buffer overflow vulnerabilities and functions vulnerable to buffer overflows are identified during code reviews. 1) If scan results are provided and buffer overflow vulnerabilities have been identified in the report, this is a finding. 2) If scan results are provided but do not include the scan configuration settings which show that the application was tested for buffer overflows, this is a finding. 3) If manual test results are provided and the report does not confirm the lack of buffer overflows and also describe how buffer overflows and functions vulnerable to buffer overflows are identified during the code review, this is a finding. *Note: For IPV6 capable applications, check existing libraries to ensure they are capable of processing the increased size of IPv6 addresses to avoid buffer overflows.

Check Text ( C-3049r3_chk )

Ask the application representative for code review or scan results from the entire application. This can be provided as results from an automated code review or a vulnerability scanning tool. See section 5.4 of the Application Security and Development STIG for additional details on code review and tools.

If the results are provided from a manual code review, the results will need to describe how buffer overflow vulnerabilities and functions vulnerable to buffer overflows are identified during code reviews.

1) If scan results are provided and buffer overflow vulnerabilities have been identified in the report, this is a finding.

2) If scan results are provided but do not include the scan configuration settings which show that the application was tested for buffer overflows, this is a finding.

3) If manual test results are provided and the report does not confirm the lack of buffer overflows and also describe how buffer overflows and functions vulnerable to buffer overflows are identified during the code review, this is a finding.

*Note: For IPV6 capable applications, check existing libraries to ensure they are capable of processing the increased size of IPv6 addresses to avoid buffer overflows.

Fix Text (F-17110r1_fix)
Modify the application to protect against buffer overflows vulnerabilities.