Description

The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

Related Weaknesses

CWE-1177

Consequences

Other: Varies by Context, Quality Degradation, Unexpected State

If the function is used incorrectly, then it could result in security problems.

Potential Mitigations

Phase: Build and Compilation, Implementation

Description: 

Identify a list of prohibited API functions and prohibit developers from using these functions, providing safer alternatives. In some cases, automatic code analysis tools or the compiler can be instructed to spot use of prohibited functions, such as the “banned.h” include file from Microsoft’s SDL. [REF-554] [REF-7]

CVE References

• CVE-2007-1470
  • Library has multiple buffer overflows using sprintf() and strcpy()

• CVE-2009-3849
  • Buffer overflow using strcat()

• CVE-2006-2114
  • Buffer overflow using strcpy()

• CVE-2006-0963
  • Buffer overflow using strcpy()

• CVE-2011-0712
  • Vulnerable use of strcpy() changed to use safer strlcpy()

• CVE-2008-5005
  • Buffer overflow using strcpy()