One Article Review
| Source |  Cyble |
|---|---|
| Identifiant | 8648463 |
| Date de publication | 2025-02-14 10:11:29 (vue: 2025-02-14 11:07:55) |
| Titre | FBI, CISA Urge Memory-Safe Practices for Software Development |
| Texte | >
In a strongly worded advisory, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have urged software developers to cease unsafe development practices that lead to “unforgivable” buffer overflow vulnerabilities.
“Despite the existence of well-documented, effective mitigations for buffer overflow vulnerabilities, many manufacturers continue to use unsafe software development practices that allow these vulnerabilities to persist,” the agencies said in the February 12 Secure By Design alert. “For these reasons-as well as the damage exploitation of these defects can cause-CISA, FBI, and others designate buffer overflow vulnerabilities as unforgivable defects.”
The agencies said threat actors leverage buffer overflow vulnerabilities to gain initial access to networks, thus making them a critical point for preventing attacks.
We\'ll look at the prevalence of buffer overflow vulnerabilities, some examples cited by CISA and the FBI, and guidance for secure development and use of memory-safe programming languages.
Buffer Overflow Vulnerabilities: Prevalence and Examples
The FBI-CISA guidance specifically mentions the common software weaknesses CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), along with stack-based buffer overflows (CWE-121) and heap-based buffer overflows (CWE-122).
The phrase “buffer overflow” occurs in 67 of the 1270 vulnerabilities in CISA\'s Known Exploited Vulnerabilities (KEV) catalog, or 5.28% of the KEV database. The words “buffer” and “overflow” occur in 84 of the KEV vulnerabilities (6.6%).
CISA and the FBI cited six examples of buffer overflow vulnerabilities in IT products:
CVE-2025-21333, a Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege vulnerability
CVE-2025-0282, a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3
|
| Notes | ★★★★ |
| Envoyé | Oui |
| Condensat | 0185 0282 119 121 122 1270 190 2022 2023 2024 2025 21333 38812 49138 6549 7r1 7r2 access accountable across action actions actors adc added addresssanitizer adversarial product advice advisory after against agencies agency alert all allow allows along also analysis and heap any an instrumented application are ask attackers attacks attestation a memory a software backups based basic before being bill bounds buffer built burden business but can canaries case catalog cause causes cease checks cisa cited citrix class classes code codebases common compile compiler conclusion conduct conduct unit connect context continue corruption crashes critical critically customers cve cwe cyberattacks cybersecurity damage data database defect defects demanding design designate develop developer developers development development disable document documentation documented driver economic effective elevation eliminate eliminating enable endpoint ensure entire entry especially even eventual examples examples execution executives existence existing exploit exploitation exploited exposure extent fbi feasible features february file filesystem fix flags flaw following format free frequently from function functionality fuzzing gain gateways gateway guarantees guidance have heap help highly hold how hyper identify immediate implement implementing importance important improper include includes including infrastructure initial integer integration introduced issues ivanti kernel kev known language languages languages should laterally lead leaders legacy length leverage libraries lifecycle limit limiting linux log look making management manual manufacturer manufacturers many materials maximum memory memorysanitizer mentions migrate mitigations monitoring most move national neglect netscaler network networks neurons never new not occur occurs off older one ones operations organization other others outlines over overflow overflows overflows overflow” override overstated package param parameters parse part past patterns perform performance persist persistence phased phrase plan plans play point policy poses possible practices prevalence prevent preventing prevention privilege privileged/exposed product products products: program programming proof protections publish quality rather reasons recommended reduce requesting restriction reviews risk roadmap that role root runtime safe safety said sbom secure security segmentation senior sensitive server shift should shouldn six slip software software weaknesses some source specifically stack static string strongly such superficial supplied suppliers system systems take tamper teams technologies testing tests with than them then these threat throughout thus time toolchain such transition trust unacceptable unauthorized unforgivable unsafe upgrading urge urged use used using vcenter verified version vigilant vmware vsp vulnerabilities vulnerabilities: vulnerabilities: vulnerability vulnerability way well when whenever wider will windows wise within worded words working would wraparound zero zta “buffer “buffer” “can “despite “for “ideally “implement “overflow” “the “these “threat “to “unforgivable” ” and software to “where |
| Tags | Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.