More than half of critical open-source tools are built on code that doesn’t internally manage memory overflow risks, potentially leaving them vulnerable to exploitation by hackers, according to findings released by the Cybersecurity and Infrastructure Security Agency (CISA) on June 26.
The report – authored by the FBI, CISA, and the Australian and Canadian cyber directorates – found that approximately 52 percent of the 172 projects listed by the influential Open-Source Security Foundation include code written in memory-unsafe languages, while 55 percent of the total lines of code for all the projects were written in a memory-unsafe language.
Moreover, even projects written in memory-safe languages may potentially harbor memory safety vulnerabilities. The report specifically identified instances where projects in memory-safe languages depended on components written in memory-unsafe languages.
“Most critical open-source projects analyzed, even those written in memory-safe languages, potentially contain memory safety vulnerabilities. This can be caused by direct use of memory-unsafe languages or external dependency on projects that use memory-unsafe languages,” the report stated. “Additionally, low-level functional requirements to disable memory safety may create opportunities for memory safety vulnerabilities in code written in otherwise memory-safe languages.”
Memory safety vulnerabilities are among the most common software vulnerabilities, prompting the cybersecurity sector to intensify its focus in recent years.
These vulnerabilities incur significant costs for both software manufacturers and consumers, including expenses related to patching, incident response, and other mitigation efforts, the report states.
Memory-unsafe languages require developers to carefully manage memory usage to avoid errors like buffer overflows and use-after-free vulnerabilities, which attackers can exploit to gain control over software and systems. In contrast, memory-safe languages reduce these risks by handling memory safety through compilers or interpreters, easing the burden on developers.
The report stresses the ongoing necessity of employing memory-safe programming languages, secure coding practices, and rigorous security testing.
Additionally, the report recommends that software manufacturers create memory-safe roadmaps, including plans to address memory safety in external dependencies, which commonly include open-source software.
