CISA and the FBI urged software program firms on Wednesday to assessment their merchandise and remove path OS command injection vulnerabilities earlier than delivery.
The advisory was launched in response to current assaults that exploited a number of OS command injection safety flaws (CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887) to compromise Cisco, Palo Alto, and Ivanti community edge gadgets.
Velvet Ant, the Chinese language state-sponsored menace actor that coordinated these assaults, deployed customized malware to realize persistence on hacked gadgets as a part of a cyber espionage marketing campaign.
“OS command injection vulnerabilities come up when producers fail to correctly validate and sanitize consumer enter when setting up instructions to execute on the underlying OS,” right this moment’s joint advisory explains.
“Designing and growing software program that trusts consumer enter with out correct validation or sanitization can permit menace actors to execute malicious instructions, placing prospects in danger.”
CISA advises builders to implement well-known mitigations to forestall OS command injection vulnerabilities at scale whereas designing and growing software program merchandise:
- Use built-in library features that separate instructions from their arguments each time attainable as an alternative of setting up uncooked strings fed right into a general-purpose system command.
- Use enter parameterization to maintain knowledge separate from instructions; validate and sanitize all user-supplied enter.
- Restrict the elements of instructions constructed by consumer enter to solely what is critical.
Tech leaders must be actively concerned within the software program improvement course of. They’ll do that by making certain that the software program makes use of features that generate instructions safely whereas preserving the command’s supposed syntax and arguments.
Moreover, they need to assessment menace fashions, use trendy element libraries, conduct code evaluations, and implement rigorous product testing to make sure the standard and safety of their code all through the event lifecycle.
“OS command injection vulnerabilities have lengthy been preventable by clearly separating consumer enter from the contents of a command. Regardless of this discovering, OS command injection vulnerabilities—a lot of which outcome from CWE-78—are nonetheless a prevalent class of vulnerability,” CISA and the FBI added.
“CISA and FBI urge CEOs and different enterprise leaders at expertise producers to request their technical leaders to investigate previous occurrences of this class of defect and develop a plan to remove them sooner or later.”
OS command injection safety bugs took the fifth spot in MITRE’s prime 25 most harmful software program weaknesses, surpassed solely by out-of-bounds write, cross-site scripting, SQL injection, and use-after-free flaws.
In Might and March, two different “Safe by Design” alerts urged tech executives and software program builders to weed out path traversal and SQL injection (SQLi) safety vulnerabilities.