Security

Buffer Overflow Vulnerabilities and Prevention

5 July, 2019

A buffer overflow is a coding vulnerability that can allow cyberattackers to crash or even hijack a target system. To protect their customers against these tactics, managed services providers (MSPs) must understand how these vulnerabilities are created, how buffer overruns can be exploited, and what can be done to protect computer systems.

How does a buffer overflow attack work?

A buffer overflow attack takes place when hackers exploit a buffer overflow vulnerability to overwrite memory. Typically, a buffer overflow occurs when data input exceeds the size of a buffer and overwrites memory in the adjacent buffer.

Buffers are sequential memory partitions set aside for storage or moving data within a program. However, they can only store an allotted amount of data, and programs without bounds checking run the risk of writing data that exceeds the storage capacity of a given buffer into that space. This bug can lead to system errors on its own, but a deliberate attack can result in the loss of important data, system downtime, or the execution of malicious code.

Although many programs have buffer overflow vulnerabilities, they are not equally susceptible to attack. C and C++ specifically lack language protections against buffer overflow and allow direct memory access, making programs written in these code languages more open to the threat of buffer overrun exploitation.

Is buffer overflow a DoS attack?

A buffer overflow attack is one form of a denial of service (DoS) attack [https://www.solarwindsmsp.com/blog/unified-threat-management-overview], in which hackers crash a machine or entire network by flooding it with traffic or feeding it information that causes it to shut down. A buffer overflow attack intentionally corrupts system memory, thereby denying machine or network users’ service through crashing the system. However, the ramifications of a DoS buffer overflow attack go beyond a system shutdown.

In the worst cases, a buffer overflow overwrites data with instructions that prompt the program to run arbitrary code, an action that could give cyberattackers full access to the system. This would allow them to steal confidential data, manipulate protected information, and restrict access from system owners.

When did buffer overflow attacks start?

The first buffer overflow attack occurred in November of 1988 with catastrophic effects. Known as “The Morris Worm,” [https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet-110218] the rogue program crashed 10% of all computers with internet connectivity in a single day.

While it didn’t damage or eliminate system data, the worm was massively impactful in terms of its effects on cybersecurity awareness. Delaying military and university operations for several days to a week, the worm incurred damages that experts estimated to be between hundreds of thousands to millions of dollars, highlighting both the nation’s reliance on computer systems and the widespread inadequacy of cybersecurity measures at the time.

Are buffer overflows still relevant?

Mainstream programming practices have evolved to develop operating systems, software, and programs with built-in overflow protections. These protections include coding in an automatically protected language or using techniques that give greater attention to vulnerabilities. For example, address space randomization shuffles the locations of data areas to make buffer overflow attacks more difficult, thus undermining the propagation of worms by requiring individualized exploitation. Many programs also utilize canary values, which occupy unused buffers. When the canary value has been overwritten, the program recognizes that it cannot verify the canary value and subsequently terminates or takes another action before an attack can take place.

Still, these protections can guard buffer overflow vulnerabilities but cannot eliminate the threat. It is in the best interest of MSPs, then, that they understand how these attacks occur and what tools they can use to prevent them [https://www.solarwindsmsp.com/blog/security-why-does-a-business-need-a-third-party-email-security-offering].

What is buffer overflow prevention?

Buffer overflow prevention can come in the form of better coding practices and security software implementation. While checking for bugs and opting for automatic language protection is helpful as a first step, the majority of programs are at risk of costly buffer overflow attacks and require a second line of defense.

SolarWinds® Remote Monitoring & Management (RMM) software was tailored to meet the needs of MSPs protecting their customers’ networks from afar [https://www.solarwindsmsp.com/products/rmm]. With data-breach risk intelligence, backup and recovery, and managed antivirus capabilities, the RMM dashboard gives MSPs a holistic view of network health while alerting them to—and guarding against—security threats like DoS attacks.

Though cybersecurity risks are constantly evolving, buffer overflow attacks have been a severe DoS threat for the last thirty years and MSPs should know what program vulnerabilities make them possible.

Ensure you're always protected from breaches by reading through our blog for other common IT threats.