Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

CISA, FBI Urge Immediate Action on OS Command Injection Vulnerabilities in Network Devices

In response to recent intrusions, CISA and the FBI are urging businesses and device manufacturers to eliminate OS command injection vulnerabilities at the source.

CISA and the FBI on Wednesday issued a joint alert on exploitation of OS command injection vulnerabilities in network edge devices.

Published in response to recent intrusions exploiting CVE-2024-20399 (Cisco NX-OS), CVE-2024-3400 (Palo Alto Networks PAN-OS), and CVE-2024-21887 (Ivanti Connect Secure), CISA and the FBI are urging business leaders and device manufacturers to eliminate OS command injection vulnerabilities at the source.

“OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS. Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk,” the joint alert reads.

To prevent these types of vulnerabilities, organizations are advised to adopt a secure-by-design approach throughout all products’ lifecycle, reducing the burden on customers and risk to the public, CISA and the FBI say.

Technical leaders, the two agencies say, should ensure that software functions generate commands in safer ways, review their threat models, conduct code reviews, employ modern component libraries, and implement aggressive adversarial product testing.

Software manufacturers are advised to “use built-in library functions that separate commands from their arguments”, to validate and sanitize user input, keep data separate from commands, and limit user input in commands to only what is necessary.

In addition to eliminating OS command injection flaws to take ownership of the customers’ security outcomes, the agencies are urging manufacturers to be transparent when disclosing security defects in their products, to give product security the same importance as cost, make the appropriate investments to promote security, prioritize proactive measures, and ensure that their organizations conduct reviews to identify common vulnerabilities.

“To demonstrate their commitment to building their products to be secure by design, software manufacturers should take the Secure by Design Pledge. The pledge lays out seven key goals that the signers commit to demonstrating measurable progress towards, including reducing systemic classes of vulnerability like OS command injection,” the two agencies note.

Advertisement. Scroll to continue reading.

Related: US, Allies Publish Guidance on Securing Network Access

Related: US Government Releases Guidance on Securing Election Infrastructure

Related: Microsoft Shares Guidance and Resources for AI Red Teams

Related:New CISA Tool ‘Decider’ Maps Attacker Behavior to ATT&CK Framework

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.