Article Details
Scrape Timestamp (UTC): 2024-07-10 18:04:38.250
Original Article Text
Click to Toggle View
CISA urges devs to weed out OS command injection vulnerabilities. CISA and the FBI urged software companies on Wednesday to review their products and eliminate path OS command injection vulnerabilities before shipping. The advisory was released in response to recent attacks that exploited multiple OS command injection security flaws (CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887) to compromise Cisco, Palo Alto, and Ivanti network edge devices. Velvet Ant, the Chinese state-sponsored threat actor that coordinated these attacks, deployed custom malware to gain persistence on hacked devices as part of a cyber espionage campaign. "OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS," today's joint advisory explains. "Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk." CISA advises developers to implement well-known mitigations to prevent OS command injection vulnerabilities at scale while designing and developing software products: Tech leaders should be actively involved in the software development process. They can do this by ensuring that the software uses functions that generate commands safely while preserving the command's intended syntax and arguments. Additionally, they should review threat models, use modern component libraries, conduct code reviews, and implement rigorous product testing to ensure the quality and security of their code throughout the development lifecycle. "OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command. Despite this finding, OS command injection vulnerabilities—many of which result from CWE-78—are still a prevalent class of vulnerability," CISA and the FBI added. "CISA and FBI urge CEOs and other business leaders at technology manufacturers to request their technical leaders to analyze past occurrences of this class of defect and develop a plan to eliminate them in the future." OS command injection security bugs took the fifth spot in MITRE's top 25 most dangerous software weaknesses, surpassed only by out-of-bounds write, cross-site scripting, SQL injection, and use-after-free flaws. In May and March, two other "Secure by Design" alerts urged tech executives and software developers to weed out path traversal and SQL injection (SQLi) security vulnerabilities.
Daily Brief Summary
CISA and the FBI issued a joint advisory urging software developers to address and mitigate OS command injection vulnerabilities in their products.
Recent attacks by the state-sponsored Chinese group Velvet Ant exploited these vulnerabilities to compromise network devices from Cisco, Palo Alto, and Ivanti.
The agencies highlighted that these vulnerabilities allow execution of malicious commands due to inadequate validation and sanitation of user inputs.
The advisory recommends practical steps for developers, including the use of secure coding practices and rigorous testing to ensure the security of software products.
Technical and executive leadership in tech companies are encouraged to be proactive in reviewing and improving the security measures in their development processes.
The vulnerabilities are ranked fifth in MITRE's top 25 most dangerous software weaknesses, illustrating the critical need for improved security practices in software development.
Past advisories have also addressed related security issues such as path traversal and SQL injection vulnerabilities as part of ongoing efforts to promote software security by design.