CISA and FBI issue “Secure by Design” alert on OS command injection vulnerabilities in network devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a new “Secure by Design” alert on Wednesday, focusing on recent, high-profile incidents in which threat actors exploited operating system (OS) command injection vulnerabilities in network edge devices (specifically CVE-2024-20399, CVE-2024-3400, CVE-2024-21887). These vulnerabilities allowed remote code execution on the devices. Although prevention measures for operating system command injection vulnerabilities – often related to CWE-78 – include separating user input from command content, they remain a significant security risk.

The alert, titled “Fixing Command Entry Vulnerabilities in Operating Systems,” announced that despite widespread knowledge and documentation of the Command Entry Vulnerability in Operating Systems over the past two decades and the availability of effective countermeasures, software vendors continue to develop products with this defect, putting customers at risk.

Command injection vulnerabilities in operating systems arise when vendors fail to properly validate and sanitize user input when creating commands to be executed on the underlying operating system. Designing and developing software that trusts user input without proper validation or sanitization can allow attackers to execute malicious commands, compromising customers.

During the design and development of a software product, developers should take steps to prevent large-scale operating system command injection vulnerabilities. This includes, when possible, using built-in library functions that separate commands from their arguments rather than constructing raw strings fed into a common system command. They must also implement input parameterization to separate data from commands. They must also validate and sanitize all user-provided input, while limiting the parts of commands that are constructed by user input to what is necessary.

Software vendors should take responsibility for their customers’ security outcomes by eliminating operating system injection vulnerabilities from their products. There are important areas of security that vendors should invest in to protect their customers and the public. This includes providing their developers with secure building blocks to ensure that a single bug does not put millions of users’ data at risk. The cycle of vulnerability detection, mitigation, and patch deployment for vulnerabilities that have been known for years is not a sustainable approach to security.

The alert acknowledges that effective mechanisms to prevent classes of vulnerabilities at scale are available and software vendors should implement them as early in the development cycle as possible. “Adopting standard best practices, such as the guidance listed above, can help vendors eliminate operating system command injection vulnerabilities at the source, rather than relying on customers to implement fixes. Vendors should also implement automated mechanisms to prevent their software from using insecure features,” it continues.

In addition, software vendor executives must take responsibility for their customers’ security, first by conducting regular testing and code reviews to determine the products’ vulnerability to attacks. The Open Web Application Security Project (OWASP) and other organizations guide testing methodologies using available techniques.

Manufacturers should be transparent about disclosing product vulnerabilities. To this end, manufacturers should track the vulnerabilities associated with their products and disclose them to their customers through the CVE program. Manufacturers should ensure that their CVE records are accurate and complete.

In addition to providing CVEs, it is important that vendors provide accurate CWE mapping so that the industry can track classes of software defects and customers can identify areas where a particular vendor’s development practices may need improvement. Many, but not all, OS command injection vulnerabilities are the result of CWE-78. Therefore, vendors should identify and document the root causes of OS command injection vulnerabilities and make it a business goal to work toward eliminating the entire class. Software vendors should also maintain a modern Vulnerability Disclosure Program (VDP).

Technology manufacturing leaders should pay the same attention to the security of their products as they do to costs. They should recognize that customers, the nation’s economy, and national security currently bear the brunt of business decisions not to build security into their products, and realize that fully implementing Secure by Design software development can reduce financial and productivity costs and complexity. They must also make the appropriate investments and develop the right incentive structures that encourage security as a stated business goal. They must implement programs to eradicate entire classes of vulnerabilities rather than addressing them on a case-by-case basis. And they must establish organizational structures that prioritize proactive measures, such as adopting standard best practices to eradicate vulnerabilities at source through command injection in the operating system.

In addition, these manufacturers must ensure that their organization conducts reviews to identify common and known vulnerabilities such as OS command injection, determine their vulnerability, and implement the effective and documented mitigations in place. Organizations should continuously conduct these reviews to remediate vulnerability classes, as some vulnerabilities may change or evolve over time. Executives should request regular updates to assess the organization’s progress in identifying recurring vulnerability classes, the organization’s progress in remediating them, and the appropriate resources required to make further progress.

CISA and FBI are urging CEOs and other business leaders of technology manufacturers to ask their engineering leaders to analyze past occurrences of these types of bugs and develop a plan to eliminate them in the future. To further prevent these vulnerabilities, engineering leaders should ensure that software uses features that generate commands in a more secure manner by maintaining the intended syntax of the command and its arguments. They must also review their threat models, use modern component libraries, conduct code reviews, and perform aggressive product testing against attackers to ensure the quality and security of their code throughout the development lifecycle.

In May, CISA and FBI issued a “Secure by Design” alert in response to recent hacker campaigns that exploited directory traversal vulnerabilities in software such as CVE-2024-1708 and CVE-2024-20345. These vulnerabilities were used to compromise software users, impacting critical infrastructure sectors such as healthcare and public health. Back in March, the agencies issued a joint “Secure by Design” alert in response to a recent exploit of SQL injection (SQLi) defects in a managed file transfer application that affected thousands of organizations.

Anna Ribeiro

Editor for Industrial Cyber ​​News. Anna Ribeiro is a freelance journalist with over 14 years of experience in security, data storage, virtualization and IoT.