SQ14118
Detected Windows executable files that might not cover all statically linked libraries with buffer overrun vulnerability mitigation.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
pass | medium | medium | None | hardening: warning Reason: ineffective mitigations found |
About the issueโ
Buffer overrun protection (Stack Guard) is a vulnerability mitigation option that prevents stack-based memory corruptions. This mitigation is detected as enabled, but its effectiveness is impacted by the use of outdated precompiled code. It was determined that the application had been linked against static libraries produced by multiple toolchain versions. Because some of them predate the general availability of the buffer overrun vulnerability mitigation, it is likely that protection coverage gaps exist.
How to resolve the issueโ
- Re-compile statically linked libraries with the same programming language toolchain version.
- In Microsoft VisualStudio, you can enable buffer overrun protection mitigation by setting the linker option /GS to ON.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Security Technologies: Stack Smashing Protection (StackGuard) (External resource - Red Hat)
- Buffer Overflow Attack (External resource - Imperva)
- What is 'Memory Corruption' (External resource - The Economic Times)
- A journey across static and dynamic libraries (External resource - internalpointers)