In a bid to enhance cybersecurity, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have called on software developers to eliminate command injection vulnerabilities from their products. According to these agencies, command injection is a preventable class of vulnerabilities, yet it continues to be exploited in the wild, posing significant risks to consumers.
Command injection vulnerabilities occur when software fails to validate and sanitize user input properly. This failure allows users to execute commands on the underlying operating system, which malicious actors can exploit to execute harmful commands. “Designing and developing software that relies on user input without proper validation and sanitization allows attackers to execute malicious commands, putting consumers at risk,” the agencies stated.
The FBI and CISA’s plea comes in response to the recent exploitation of command injection vulnerabilities in networking equipment from companies like Cisco, Palo Alto Networks, and Ivanti. The agencies emphasized the need for a “secure by design” approach to software development, which would integrate security measures from the beginning of the software development lifecycle.
To this end, the agencies encourage software vendors to adopt comprehensive strategies to eliminate command injection vulnerabilities. These strategies include using modern libraries, conducting thorough code reviews, reviewing threat models, and rigorously testing the quality and security of their code.
The alert also mentions the “Secure by Design Pledge,” urging software and technology companies to commit to developing secure products. The pledge outlines seven goals for vendors to achieve within a year, such as increasing the use of multi-factor authentication (MFA) and reducing the use of default passwords.
Previously, CISA and the FBI had called for an end to SQL injection and path traversal vulnerabilities. The Secure by Design initiative is part of a broader effort to promote industry-wide best practices that can eliminate these common and dangerous classes of vulnerabilities during product design and development. “Through the Secure by Design initiative, we aim to drive a culture change within the industry by normalizing the development of products that are safe to use out of the box,” the agencies said.
The latest Secure by Design Alert, released on July 10, 2024, focuses on eliminating OS command injection vulnerabilities. This alert responds to recent threat campaigns that exploited such vulnerabilities (CVE-2024-20399, CVE-2024-3400, CVE-2024-21887) to remotely execute code on network edge devices. These vulnerabilities were exploited by unauthenticated malicious actors, causing significant security breaches.
The agencies emphasize that OS command injection vulnerabilities have long been preventable. The root cause is often the improper validation and sanitization of user input when constructing commands to execute on the underlying OS. Despite being a well-understood issue, these vulnerabilities persist, largely due to a lack of adherence to secure coding practices.
CISA and the FBI urge business leaders in technology manufacturing to analyze past occurrences of command injection defects and develop plans to eliminate them. Technical leaders are encouraged to use safer functions to generate commands, review their threat models, use modern component libraries, conduct thorough code reviews, and implement aggressive adversarial product testing throughout the development lifecycle.
One practical example highlighted by the agencies involves using built-in library functions that separate commands from their arguments, rather than constructing raw strings fed into general-purpose system commands. For instance, in Python, developers should use the os.mkdir() function instead of invoking a command directly. This approach helps ensure that commands are executed safely, without risking injection vulnerabilities.
The Secure by Design principles advocate for manufacturers to take ownership of their customer’s security outcomes, embrace radical transparency and accountability, and build organizational structures to achieve these goals. This includes regularly testing and reviewing code to identify and eliminate common vulnerabilities like OS command injection.
Ultimately, the call from the FBI and CISA is a clear reminder that security needs to be a fundamental part of the software development process. By adopting secure by design principles, software developers can protect consumers and contribute to a safer digital environment. As the agencies succinctly put it, “The cycle of vulnerability detection, mitigation, and patch deployment for vulnerabilities that have been understood for years is not a lasting approach to security.”
For more information and to join the Secure by Design Pledge, visit the CISA website.
