CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities

July 10, 2024

CISA and the FBI have issued a joint advisory to software firms, strongly recommending they scrutinize their products and eliminate any OS command injection vulnerabilities before they are released to the market. This advisory was prompted by recent cyber attacks that took advantage of multiple OS command injection security flaws (CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887) to infiltrate network edge devices from companies such as Cisco, Palo Alto, and Ivanti. These attacks were orchestrated by Velvet Ant, a Chinese state-sponsored threat actor, who used custom malware to establish a persistent presence on the hacked devices as part of a wider cyber espionage campaign.

The advisory explains that OS command injection vulnerabilities occur when software manufacturers do not adequately validate and sanitize user input when creating commands to execute on the underlying operating system. If user input is trusted without proper validation or sanitization, it can enable threat actors to execute malicious commands, thereby putting customers at risk. CISA has urged developers to use well-known mitigations to prevent OS command injection vulnerabilities at scale while designing and developing software products.

The advisory further suggests that tech leaders should actively participate in the software development process. This can be achieved by ensuring that the software uses functions that generate commands safely while preserving the command's intended syntax and arguments. They should also review threat models, use modern component libraries, conduct code reviews, and implement rigorous product testing to ensure the quality and security of their code throughout the development lifecycle.

Despite the fact that OS command injection vulnerabilities can be prevented by clearly separating user input from the contents of a command, they remain a prevalent class of vulnerability. CISA and the FBI have urged CEOs and other business leaders at technology manufacturers to instruct their technical leaders to analyze past occurrences of this class of defect and develop a plan to eliminate them in the future.

OS command injection security bugs ranked fifth in MITRE's top 25 most dangerous software weaknesses, only surpassed by out-of-bounds write, cross-site scripting, SQL injection, and use-after-free flaws. Earlier this year, two other 'Secure by Design' alerts were released, urging tech executives and software developers to address path traversal and SQL injection (SQLi) security vulnerabilities.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.