The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released on Wednesday a new Secure by Design alert focusing on the recent high-profile incidents where threat actors exploited Operating system (OS) command injection vulnerabilities in network edge devices (specifically CVE-2024-20399, CVE-2024-3400, CVE-2024-21887). These vulnerabilities allowed remote code execution on the devices. Although prevention measures for OS command injection vulnerabilities—often related to CWE-78—involve segregating user input from command content, they remain a significant security concern.
Titled ‘Eliminating OS Command Injection Vulnerabilities,’ the alert disclosed that despite widespread knowledge and documentation of the OS command injection vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers have continued to develop products with this defect, which puts customers at risk.
OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS. Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk.
During the design and development of a software product, developers should take steps to prevent OS command injection vulnerabilities at scale including, but not limited to whenever possible, using built-in library functions that separate commands from their arguments instead of constructing raw strings fed into a general-purpose system command. They must also adopt input parameterization to keep data separate from commands; and validate and sanitize all user-supplied input while limiting the parts of commands constructed by user input to only what is necessary.
Software manufacturers should take ownership of their customers’ security outcomes by eliminating OS command injection vulnerabilities from their products. There are key security areas manufacturers should invest in to protect their customers as well as the public. These include providing safe building blocks for their developers to ensure that a single error does not compromise the data of millions of users. The cycle of vulnerability detection, mitigation, and patch deployment for vulnerabilities that have been understood for years is not a lasting approach to security.
The alert recognizes effective mechanisms to prevent classes of vulnerability at scale are available and software manufacturers should implement them as early in the development cycle as possible. “Adopting standard best practices, such as the guidance listed above, can help manufacturers root out OS command injection vulnerabilities at the source, as opposed to relying on customers to apply fixes. Manufacturers should also implement automated mechanisms that prevent their software from using unsafe functions,” it added.
Additionally, senior executives at software manufacturers must take accountability for the security of their customers starting by regularly testing and conducting code reviews to determine product susceptibility to exploitation. The Open Web Application Security Project (OWASP) and other entities guide testing methods with available techniques.
Manufacturers should lead with transparency when disclosing product vulnerabilities. To that end, manufacturers should track the vulnerabilities associated with their products and disclose these to their customers via the CVE program. Manufacturers should ensure that their CVE records are correct and complete.
In addition to providing CVEs, it is critical that manufacturers supply an accurate CWE mapping so the industry can track classes of software defects, and customers can understand areas where a given vendor’s development practices may require improvement. Many, but not all, OS command injection vulnerabilities are the result of CWE-78. As such, manufacturers should identify and document the root causes of OS command injection vulnerabilities and declare it a business goal to work toward eliminating the entire class. Software manufacturers should also maintain a modern vulnerability disclosure program (VDP).
Technology manufacturing executives should give the security of their products the same level of care they give to cost; consider the full picture that customers, the nation’s economy, and national security are currently bearing the brunt of business decisions to not build security into their products, and be aware that fully implementing secure by design software development can reduce financial and productivity costs as well as complexity. They must also make the appropriate investments and develop the right incentive structures that promote security as a stated business goal; lead programs to root out entire classes of vulnerability rather than addressing them on a case-by-case basis; and establish organizational structures that prioritize proactive measures, such as adopting standard best practices, to root out OS command injection vulnerabilities at the source.
Additionally, these manufacturers must ensure their organization conducts reviews to detect common and well-known vulnerabilities, like OS command injection, to determine their susceptibility, and implement the existing effective and documented mitigations. Organizations should conduct these reviews continually to root out classes of vulnerability, as some vulnerabilities may change or develop over time. Executives should request regular updates to assess the company’s progress at identifying recurring classes of vulnerability, the company’s progress in eliminating them, and the appropriate resources needed to continue making progress.
CISA and FBI urge CEOs and other business leaders in technology manufacturers to request their technical leaders to analyze past occurrences of this class of defect and develop a plan to eliminate them in the future. To further prevent these vulnerabilities, technical leaders should ensure software uses functions that generate commands in safer ways by preserving the intended syntax of the command and its arguments. They must also review their threat models, use modern component libraries, conduct code reviews, and implement aggressive adversarial product testing to ensure the quality and security of their code throughout the development lifecycle.
In May, the CISA and FBI issued a Secure by Design Alert in response to recent hacker campaigns exploiting directory traversal vulnerabilities in software like CVE-2024-1708 and CVE-2024-20345. These vulnerabilities have been used to compromise software users, impacting critical infrastructure sectors, such as healthcare and public health. Earlier, in March, the agencies published a joint Secure by Design alert in response to a recent, exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations.
This post was originally published on the 3rd party site mentioned in the title of this this site