CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities

July 10, 2024

CISA and the FBI have issued a joint advisory to software firms, strongly recommending they scrutinize their products and eliminate any OS command injection vulnerabilities before they are released to the market. This advisory was prompted by recent cyber attacks that took advantage of multiple OS command injection security flaws (CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887) to infiltrate network edge devices from companies such as Cisco, Palo Alto, and Ivanti. These attacks were orchestrated by Velvet Ant, a Chinese state-sponsored threat actor, who used custom malware to establish a persistent presence on the hacked devices as part of a wider cyber espionage campaign.

The advisory explains that OS command injection vulnerabilities occur when software manufacturers do not adequately validate and sanitize user input when creating commands to execute on the underlying operating system. If user input is trusted without proper validation or sanitization, it can enable threat actors to execute malicious commands, thereby putting customers at risk. CISA has urged developers to use well-known mitigations to prevent OS command injection vulnerabilities at scale while designing and developing software products.

The advisory further suggests that tech leaders should actively participate in the software development process. This can be achieved by ensuring that the software uses functions that generate commands safely while preserving the command's intended syntax and arguments. They should also review threat models, use modern component libraries, conduct code reviews, and implement rigorous product testing to ensure the quality and security of their code throughout the development lifecycle.

Despite the fact that OS command injection vulnerabilities can be prevented by clearly separating user input from the contents of a command, they remain a prevalent class of vulnerability. CISA and the FBI have urged CEOs and other business leaders at technology manufacturers to instruct their technical leaders to analyze past occurrences of this class of defect and develop a plan to eliminate them in the future.

OS command injection security bugs ranked fifth in MITRE's top 25 most dangerous software weaknesses, only surpassed by out-of-bounds write, cross-site scripting, SQL injection, and use-after-free flaws. Earlier this year, two other 'Secure by Design' alerts were released, urging tech executives and software developers to address path traversal and SQL injection (SQLi) security vulnerabilities.

Related News

• CISA Includes Cisco NX-OS Command Injection Vulnerability in its Known Exploited Vulnerabilities Catalog
• Cisco Patches NX-OS Zero-Day Exploited by Chinese Threat Actor Velvet Ant
• CISA Confirms Data Breach in Chemical Security Assessment Tool: Potential Exposure of Sensitive Information
• MITRE Corporation Cyber Attack: Hackers Utilize Rogue VMs to Evade Detection
• Mirai Botnet Exploits Ivanti Connect Secure Vulnerabilities

Latest News

• Longstanding Windows Zero-Day Exploited for Over a Year
• Citrix Addresses Critical and High-Severity Bugs in NetScaler Product
• Emerging Ransomware Group Exploits Vulnerability in Veeam Backup Software
• New OpenSSH Vulnerability May Lead to Remote Code Execution
• Microsoft's July Security Update Exploited by Attackers, Patch for 139 Unique CVEs Released