Yes, you read that correctly. It’s not even two full months into 2021 and we’re already talking about not just one, but several major cyberattacks that all originated as a buffer overflow.
We talk about buffer overflows a lot here at Dover Microsystems, and for good reason. They are one of the most common and severe types of software vulnerabilities, impacting every system, regardless of industry or application. Infamous cyberattacks like Operation Soft Cell of 2019, Triton of 2017, Heartbleed of 2014, and even the 2009 Stuxnet attack all started with a simple buffer overflow
And we already know that there are anywhere between 15 and 50 bugs for every 1,000 lines of source code, with an estimated 93 billion new lines of code being written every year. That also means billions of new software vulnerabilities are being created every year—anywhere from 1.4 billion to 4.7 billion new vulnerabilities to be exact.
At the time of this writing, 59 new buffer overflow vulnerabilities have been identified since January 1st, 2021. At this rate, we can expect over 350 new buffer overflows to be discovered by year’s end. Of course, we know the number of discovered vulnerabilities is only a tiny fraction of what actually exists in the wild. It can take years and sometimes decades until a single vulnerability is discovered—by the good guys that is. Unfortunately, most often a vulnerability doesn’t come to light until an attacker has exploited the vulnerability and a breach has already occurred.
We already saw this in the Operation Soft Cell attack, which infected the networks of major telecommunications providers like T-Mobile and AT&T. The attack was discovered in 2018, but was a multi-wave attack that spanned at least six years, allowing the attackers to collect over 100GB of data, including call and messaging logs of the telcos’ users. The attack was finally thwarted when the Cybereason research team discovered it and made the impacted telecommunications organizations aware they were under attack.
What is a buffer overflow?
A buffer overflow occurs when a program is able to write more data to a buffer—or fixed-length block of computer memory—than it is designed to hold. Then the excess data will overflow into the adjacent buffer, overwriting its contents and enabling the attacker to change the flow of the program and execute a code injection attack.
According to MITRE, buffer overflows account for over 10,000 of the known software vulnerabilities, 23% of which are considered severe. The severity of a CVE is also classified by the MITRE corporation. A CVE is considered severe when the attack vector comes across the network, the attack complexity is low, there is no special privilege or user interaction required for the attack to be successful, and no workaround currently exists to prevent the attack from occurring.
The reason buffer overflows are so prevalent is because the majority of applications are written in C and C++, both of which have no built-in protection against accessing or overwriting data anywhere in memory. They also do not automatically check if data written to a buffer is within the bounds of that buffer. This combined with the fact that software applications are becoming more and more complex—containing millions of lines of code—finding and eliminating all potential buffer overflow vulnerabilities before release is next to impossible.
Hence where we find ourselves today, with an endless stream of cyberattacks in the news, many of which started as a simple buffer overflow. Let’s take a look at just a few that have been in the news in the first several weeks of the year.
Heap-based buffer overflow in Libgcrypt
In January 2021, the developers of Libgcrypt, a cryptographic library developers use when building applications, issued a security patch update after a severe heap-based buffer overflow vulnerability was discovered in the software. The bug was discovered by a Google Project Zero researcher who warned that the bug was easily exploitable, and would allow an attacker to write arbitrary code to a target machine and execute that code.
Many software programs rely on the open source libgcrypt library, and the organizations impacted run the gamut from government entities to small businesses.
Apple iOS latest update included a security patch for multiple buffer overflow vulnerabilities
If you’re the owner of an Apple device, you’re likely already familiar with the next buffer overflow attack. Even my less than technologically inclined mother sent me a frantic text: “have u updated ur phone yet?!” In January 2021, Apple disclosed three actively exploited vulnerabilities in iOS, two of which were in the browser engine that powers Safari, and the third a buffer overflow in the Kernel.
All of these vulnerabilities would give the attacker a significant amount of access to the device and the data, if exploited. In addition to the privilege escalation provided by the bug in the Kernel, the two other vulnerabilities located in the WebKit could allow the remote execution of malicious code into the users’ Safari browser. While it’s not likely that the many devices were targeted, all iPhone generations beyond the 6S were impacted, along with multiple generations of iPads and the 7th generation of the iPod touch.
Sudo bug discovered years after it was first created
The last attack we’re highlighting is the Sudo buffer overflow exploit, which was identified and disclosed in late January, but existed in the wild for almost a decade. This potential impact of this vulnerability is massive—it affected the majority of the Linux ecosystem, and gave anyone who exploited the bug root access from a low-privileged account.
The vulnerability is largely considered to be one of the most dangerous bugs that have been discovered in the Sudo utility to date and it runs the risk of being utilized as thes second stage of a multipart attack. Quayls, the security watchdog that first identified the bug, said if attackers were able to brute force low-level accounts, they could then exploit the buffer overflow vulnerability to gain remote access and full control over an attacked system.
Security patches as a cybersecurity strategy are woefully inadequate
It’s not an overstatement to say that buffer overflows are extremely dangerous and all too common. In an ideal world, the security patches released would successfully fix the issues after they’re discovered and all would be well. However, that assumes that every system that contained the vulnerability immediately downloads the software update. Unfortunately, we know that’s not reality. In fact, it’s been reported that nearly 60% of all data breaches in 2019 can be directly linked to unpatched vulnerabilities. Many factors contribute to poor patch management, the primary one being the inevitable and costly system downtime. This leads business to avoid installing patches, as the downtime costs increase with the scale of the business. Large organizations could face over $200,000 in downtime cost for just one security patch.
In the case of the Sudo bug, systems could have been targeted for ten years. Because the Sudo vulnerability is nearly ubiquitous in Linux systems, the ripple effect of this bug is massive. Impacting organizations from Cisco to Apple, millions of users and potentially billions of devices now need to be updated and patched in order to prevent exploitation and in all likelihood a vast majority of those devices will remain unpatched for some time, if ever.
It is clear that a proactive approach to cybersecurity is needed.
Prevent all (known and unknown) buffer overflows with Dover’s CoreGuardⓇ solution
Dover’s CoreGuard solution protects against entire classes of vulnerabilities, including buffer overflows, so that even zero-day exploits are prevented. Whether a bug is discovered last year, today, or years in the future, Dover’s CoreGuard technology will prevent it’s exploitation. This is done through a combination of hardware and software, called micropolicies, which are informed by metadata.
These micropolicies are able to stop the exploitation of both known and zero-day vulnerabilities because they are designed to prevent the class of attack and not the specific vulnerability, without the need to issue an update to the technology. This doesn’t mean the vulnerability is eliminated on a CoreGuard-protected device, and it is advised the vulnerability should be patched or fixed as soon as possible. However, the exploitation will be prevented, eliminating the need for immediate action, as unpatched systems won’t be in danger of attack.
The Heap micropolicy protects against buffer overflows on heap memory. It works by assigning a color to the buffer where the data resides, as well as the pointer to that buffer. It enforces that an instruction cannot write data to a buffer with a color that does not match the color of the pointer to that buffer. Therefore, if there is an attempt to write data to a buffer that has a mis-matching pointer, the CoreGuard hardware will issue a violation and stop the instruction from being executed.
The other micropolicy that protects memory safety is the Stack micropolicy, which prevents the exploitation of buffer overflows on the stack that can be used to execute a stack smashing attack. A stack smashing attack occurs when a buffer overflow overwrites data in memory allocated to the stack.With the Stack micropolicy, Dover’s CoreGuard solution uses metadata to tag a function’s code and its data on the stack, and then blocks any instruction that tries to violate the structure of the stack defined by the metadata. In other words, if an attacker attempts to exploit a buffer overflow to write data into stack memory, CoreGuard will block the attempt and issue a violation because that data is more than the stack was designed to hold.
To learn more about buffer overflows and the other software bugs plaguing our embedded systems today, attend Dover's upcoming webinar, Securing Embedded Systems: Analyzing CWE Threats & Delivering Hardware-Based Defense-in-Depth.