SQ14124
Detected Windows executable files that might not cover all statically linked libraries with CFG vulnerability mitigation protection.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | medium | None | hardening: warning Reason: hardening effectiveness issues |
About the issueโ
Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation is detected as enabled, but its effectiveness is impacted by the use of outdated precompiled code. It was determined that the application had been linked against static libraries produced by multiple toolchain versions. Because some of them predate the general availability of the control flow guard vulnerability mitigation, it is likely that protection coverage gaps exist.
How to resolve the issueโ
- Recompile statically linked libraries with the same programming language toolchain version.
- In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Control-flow integrity (External resource - MaskRay)
- Control Flow Guard for platform security (External resource - Microsoft)
- A journey across static and dynamic libraries (External resource - internalpointers)