02-13-2025, 10:35 PM
News CISA, FBI call software with buffer overflow issues ‘unforgivable’
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>FBI and CISA have issued a joint advisory to warn software developers against building codes with Buffer Overflow vulnerabilities in them, calling them “unforgivable” mistakes.</p>
<p>Tagging the advisory as part of their ongoing “<a href="https://www.csoonline.com/article/3599118/oktas-secure-by-design-pledge-suffers-a-buggy-setback.html">Secure by Design</a>” efforts, the authorities said these vulnerabilities are prevalent in software, including vendors like Microsoft, VMware, and Ivanti, that lead to full system compromise.</p>
<p>“CISA and FBI maintain that the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities — especially the use of memory-unsafe programming languages — poses unacceptable risk to our national and economic security,” the authorities said.</p>
<p>Buffer overflow defect is a memory safety vulnerability that stems from a program reading or writing memory beyond allocated boundaries by failing to initialize memory properly.</p>
<h2 class="wp-block-heading"><a></a>Buffer Overflow bugs are unforgivable</h2>
<p>“The CISA and FBI recognize that memory safety vulnerabilities encompass a wide range of issues — many of which require significant time and effort to properly resolve,” the<a href="https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities"> advisory</a> added. “While all types of memory safety vulnerabilities can be prevented by using memory safe languages during development, other mitigations may only address certain types of memory safety vulnerabilities.”</p>
<p>The advisory pointed out that buffer overflow flaws are well-understood vulnerabilities and are easily avoidable by using memory-safe languages. It also listed additional techniques to help fix these issues.</p>
<p>Despite “well-documented” fixes, buffer overflow vulnerabilities are quite prevalent, CISA pointed out. “For these reasons — as well as the damage exploitation of these defects can cause — CISA, FBI, and others[<a href="https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities#_ednref1">1</a>] designate buffer overflow vulnerabilities as unforgivable defects.”</p>
<p>Manufacturers are asked to refer to the methods outlined in the alert<a href="https://www.cisa.gov/sites/default/files/2025-02/secure-by-design-alert-eliminating-buffer-overflow-vulnerabilities-508c.pdf"> PDF</a> issued with the advisory to prevent and mitigate buffer overflow defects, and software users are advised to<a href="https://www.cisa.gov/resources-tools/resources/secure-demand-guide"> demand secure products</a> from them that include such preventions.</p>
<h2 class="wp-block-heading"><a></a>Microsoft, VMWare, Ivanti flaws called out</h2>
<p>The feds highlighted a list of buffer overflow bugs affecting leading vendors like Microsoft, Ivanti, VMWare, Citrix and RedHat, ranging from high to critical severity, and some already having in-the-wild exploits.</p>
<p>The list included two Microsoft flaws that could allow — local attackers in container-based environments to gain system privileges (<a href="https://www.csoonline.com/article/3822488/february-patch-tuesday-cisos-should-act-now-on-two-actively-exploited-windows-server-vulnerabilities.html">CVE-2025-21333</a>), and privilege escalation on the Windows Common Log File System Driver (CLFS) that could lead to full system access (CVE-2024-49138). The latter was picked up by threat actors for<a href="https://www.tenable.com/blog/microsofts-december-2024-patch-tuesday-addresses-70-cves-cve-2024-49138"> zero-day exploit</a> and was assigned a CVSS rating of 7.8/10.</p>
<p>Most critical in the list is a<a href="https://www.csoonline.com/article/3583542/vmware-patches-security-vulnerability-twice.html"> VMWare vCentre flaw</a> (CVE-2024-38812) that Broadcom had to plug for a second time in months after it<a href="https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968"> admitted</a> the first patch did not completely fix the issue. The flaw was a heap overflow issue in an implementation of the DCERPC (distributed computing environment/ remote procedure call) protocol of the vCenter server.</p>
<p>Another critical flaw (CVSS 9/10) listed in the advisory is the stack-overflow bug in Ivanti’s Connect Secure (CVE-2025-0282) that the IT software maker fixed in January after it was<a href="https://www.csoonline.com/article/3652369/ivanti-warns-critical-rce-flaw-in-connect-secure-exploited-as-zero-day.html"> exploited in zero-day attacks</a>. While historically dependent on vulnerable coding languages like C, and C++, all these vendors are gradually<a href="https://www.techzine.eu/news/devops/116080/microsoft-continues-push-to-switch-code-over-to-rust/"> moving towards memory-safe languages</a> like Rust, Go, Swift, and Python.</p>
</div></div></div></div>
https://www.csoonline.com/article/382393...vable.html
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>FBI and CISA have issued a joint advisory to warn software developers against building codes with Buffer Overflow vulnerabilities in them, calling them “unforgivable” mistakes.</p>
<p>Tagging the advisory as part of their ongoing “<a href="https://www.csoonline.com/article/3599118/oktas-secure-by-design-pledge-suffers-a-buggy-setback.html">Secure by Design</a>” efforts, the authorities said these vulnerabilities are prevalent in software, including vendors like Microsoft, VMware, and Ivanti, that lead to full system compromise.</p>
<p>“CISA and FBI maintain that the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities — especially the use of memory-unsafe programming languages — poses unacceptable risk to our national and economic security,” the authorities said.</p>
<p>Buffer overflow defect is a memory safety vulnerability that stems from a program reading or writing memory beyond allocated boundaries by failing to initialize memory properly.</p>
<h2 class="wp-block-heading"><a></a>Buffer Overflow bugs are unforgivable</h2>
<p>“The CISA and FBI recognize that memory safety vulnerabilities encompass a wide range of issues — many of which require significant time and effort to properly resolve,” the<a href="https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities"> advisory</a> added. “While all types of memory safety vulnerabilities can be prevented by using memory safe languages during development, other mitigations may only address certain types of memory safety vulnerabilities.”</p>
<p>The advisory pointed out that buffer overflow flaws are well-understood vulnerabilities and are easily avoidable by using memory-safe languages. It also listed additional techniques to help fix these issues.</p>
<p>Despite “well-documented” fixes, buffer overflow vulnerabilities are quite prevalent, CISA pointed out. “For these reasons — as well as the damage exploitation of these defects can cause — CISA, FBI, and others[<a href="https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities#_ednref1">1</a>] designate buffer overflow vulnerabilities as unforgivable defects.”</p>
<p>Manufacturers are asked to refer to the methods outlined in the alert<a href="https://www.cisa.gov/sites/default/files/2025-02/secure-by-design-alert-eliminating-buffer-overflow-vulnerabilities-508c.pdf"> PDF</a> issued with the advisory to prevent and mitigate buffer overflow defects, and software users are advised to<a href="https://www.cisa.gov/resources-tools/resources/secure-demand-guide"> demand secure products</a> from them that include such preventions.</p>
<h2 class="wp-block-heading"><a></a>Microsoft, VMWare, Ivanti flaws called out</h2>
<p>The feds highlighted a list of buffer overflow bugs affecting leading vendors like Microsoft, Ivanti, VMWare, Citrix and RedHat, ranging from high to critical severity, and some already having in-the-wild exploits.</p>
<p>The list included two Microsoft flaws that could allow — local attackers in container-based environments to gain system privileges (<a href="https://www.csoonline.com/article/3822488/february-patch-tuesday-cisos-should-act-now-on-two-actively-exploited-windows-server-vulnerabilities.html">CVE-2025-21333</a>), and privilege escalation on the Windows Common Log File System Driver (CLFS) that could lead to full system access (CVE-2024-49138). The latter was picked up by threat actors for<a href="https://www.tenable.com/blog/microsofts-december-2024-patch-tuesday-addresses-70-cves-cve-2024-49138"> zero-day exploit</a> and was assigned a CVSS rating of 7.8/10.</p>
<p>Most critical in the list is a<a href="https://www.csoonline.com/article/3583542/vmware-patches-security-vulnerability-twice.html"> VMWare vCentre flaw</a> (CVE-2024-38812) that Broadcom had to plug for a second time in months after it<a href="https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968"> admitted</a> the first patch did not completely fix the issue. The flaw was a heap overflow issue in an implementation of the DCERPC (distributed computing environment/ remote procedure call) protocol of the vCenter server.</p>
<p>Another critical flaw (CVSS 9/10) listed in the advisory is the stack-overflow bug in Ivanti’s Connect Secure (CVE-2025-0282) that the IT software maker fixed in January after it was<a href="https://www.csoonline.com/article/3652369/ivanti-warns-critical-rce-flaw-in-connect-secure-exploited-as-zero-day.html"> exploited in zero-day attacks</a>. While historically dependent on vulnerable coding languages like C, and C++, all these vendors are gradually<a href="https://www.techzine.eu/news/devops/116080/microsoft-continues-push-to-switch-code-over-to-rust/"> moving towards memory-safe languages</a> like Rust, Go, Swift, and Python.</p>
</div></div></div></div>
https://www.csoonline.com/article/382393...vable.html