CISA warning points to vulnerabilities in the operating system

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigations (FBI), has jointly issued a “Secure by Design” alert in response to campaigns by threat actors exploiting command-line flaws in operating systems (OS) in network edge devices.

The alert notes that these vulnerabilities, which allow unauthenticated malicious actors to remotely execute code on network edge devices, are preventable. Network edge device vendors should not design and develop software that trusts user input without proper validation or sanitization, the alert advises.

Command injection vulnerabilities in operating systems have long been preventable by clearly separating user input from the content of a command. Manufacturers of network edge devices should only use built-in library functions that separate commands from their arguments, rather than constructing raw strings that are fed into a common system command.

You should also limit the parts of commands created from user input to what is absolutely necessary and use input parameterization to separate data from commands to ensure that user input is validated and sanitized.

In particular, CISA and FBI are urging CEOs and other business leaders of IT platform vendors to require their technical leaders to adhere to a set of “Secure by Design” principles defined by CISA and other cybersecurity agencies to analyze past incidents of these types of deficiencies and develop a plan to eliminate them in the future. At their core, the “Secure by Design” principles and the relevant organizations are calling on manufacturers to take a holistic approach to security, which requires a strategic investment of dedicated resources at every level of the product design and development process, rather than adding capabilities later.

Mitch Ashley, an application security technology consultant at Futurum Group, said the warning was a call to ensure that best DevSecOp practices are followed when developing software. Given the ease with which software can be exploited, every development team and business leader should commit to adhering to the principles of Secure by Design, he added.

It is not clear to what extent government agencies are willing to replace platforms that do not adhere to Secure by Design principles, but cybersecurity professionals should create their own inventory of platforms that do not meet them. This list should then be shared with business and IT leaders to better prioritize future upgrades of existing platforms or to justify the decision to replace that platform with one that is inherently more secure.

Cybersecurity teams should also assume that cybercriminals are closely monitoring CISA alerts, with many already looking for ways to exploit operating system command injection vulnerabilities, while many organizations lack the resources necessary to successfully defend against what has become an excessively large attack surface.

In the meantime, a conversation with the teams managing platforms running these operating systems at the edge is clearly in order. Many of them are managed by Operations Technology (OT) teams who often have little formal cybersecurity training. As always, however, the cybersecurity team will inevitably be held accountable for any breach, regardless of who might actually be at fault.