FBI, CISA Urge Memory-Safe Practices for Software Development 

FBI, CISA Urge Memory-Safe Practices for Software Development 

/in

Software Development 

In a strongly worded advisory, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have urged software developers to cease unsafe development practices that lead to “unforgivable” buffer overflow vulnerabilities. 

“Despite the existence of well-documented, effective mitigations for buffer overflow vulnerabilities, many manufacturers continue to use unsafe software development practices that allow these vulnerabilities to persist,” the agencies said in the February 12 Secure By Design alert. “For these reasons—as well as the damage exploitation of these defects can cause—CISA, FBI, and others designate buffer overflow vulnerabilities as unforgivable defects.” 

The agencies said threat actors leverage buffer overflow vulnerabilities to gain initial access to networks, thus making them a critical point for preventing attacks. 

We’ll look at the prevalence of buffer overflow vulnerabilities, some examples cited by CISA and the FBI, and guidance for secure development and use of memory-safe programming languages. 

Buffer Overflow Vulnerabilities: Prevalence and Examples 

The FBI-CISA guidance specifically mentions the common software weaknesses CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), along with stack-based buffer overflows (CWE-121) and heap-based buffer overflows (CWE-122). 

The phrase “buffer overflow” occurs in 67 of the 1270 vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog, or 5.28% of the KEV database. The words “buffer” and “overflow” occur in 84 of the KEV vulnerabilities (6.6%). 

CISA and the FBI cited six examples of buffer overflow vulnerabilities in IT products: 

  • CVE-2025-21333, a Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege vulnerability 

  • CVE-2025-0282, a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 

  • CVE-2024-49138, a Windows Common Log File System Driver Elevation of Privilege vulnerability 

  • CVE-2024-38812, a VMware vCenter Server heap-overflow vulnerability 

  • CVE-2023-6549, an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Citrix Systems’ NetScaler ADC and NetScaler Gateway 

  • CVE-2022-0185, a heap-based buffer overflow flaw in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length (the CWE in this case was CWE-190, Integer Overflow or Wraparound). 

“These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution,” the agency guidance said. “Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network.” 

They added that “the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities—especially the use of memory-unsafe programming languages—poses unacceptable risk to our national and economic security.” 

Memory-Safe Software Development 

The agencies urged manufacturers “to take immediate action to prevent these vulnerabilities from being introduced into their products. … Software manufacturer senior executives and business leaders should ask their product and development teams to document past buffer overflow vulnerabilities and how they are working to eliminate this class of defect.” 

Customers should hold manufacturers accountable by requesting a Software Bill of Materials (SBOM) and a secure software development attestation, the FBI and CISA said. 

For development teams, the agencies recommended the following secure by design practices to prevent buffer overflow vulnerabilities: 

  • Memory-safe languages should be used whenever possible “to shift the burden of memory management from the developer to the programming language’s built-in safety features.” They added that developers should never disable or override memory safety guarantees in languages when it’s possible to do so, and that using a memory-safe language in one part of a software package will not fix memory-unsafe code in other libraries. 

  • A phased transition plan for implementing memory-safe languages should be used for upgrading existing codebases while using technologies to limit memory vulnerabilities in existing code. “Ideally, this plan should include using memory-safe languages to develop new code and—over time and when feasible—transition their software’s most highly privileged/exposed code to memory-safe languages,” the agencies said. 

  • Enable compiler flags that implement compile time and runtime protections against buffer overflows to the extent that application performance allows, and “implement canaries that alert if an overflow occurs.” 

  • Conduct unit tests with an instrumented toolchain such as AddressSanitizer and MemorySanitizer that checks source code for buffer overflows and other memory safety issues. 

  • Perform adversarial product testing that includes static analysis, fuzzing, and manual reviews to ensure code safety and quality throughout the development lifecycle. 

  • Publish amemory-safety roadmap that outlines plans to develop new products with memory-safe languages and to migrate older ones based on risk. 

  • Conduct root cause analysis of past vulnerabilities, including buffer overflows,to identify patterns. “Where possible, take actions to eliminate entire classes of vulnerabilities across products, rather than the superficial causes,” the agencies said. 

The alert said eliminating buffer overflow vulnerabilities “can help reduce the prevalence of other memory safety issues, such as format string, off-by-one, and use-after-free vulnerabilities.” 

Conclusion 

As an initial entry point for attackers into a network, the importance of buffer overflow vulnerability prevention can’t be overstated. Development teams would be wise to implement CISA and the FBI’s advice to the maximum extent possible. 

Customers also have a role to play by demanding memory-safe documentation from suppliers. But they also shouldn’t neglect basic cybersecurity practices for the eventual vulnerabilities that will slip past even the most vigilant development teams. Zero trust, risk-based vulnerability management, segmentation, tamper-proof backups and network and endpoint monitoring are all critically important practices for limiting the damage from any cyberattacks that do occur. 

The post FBI, CISA Urge Memory-Safe Practices for Software Development  appeared first on Cyble.

Blog – Cyble – ​Read More