CISA and the FBI on Wednesday issued a joint alert on exploitation of OS command injection vulnerabilities in network edge devices.
Published in response to recent intrusions exploiting CVE-2024-20399 (Cisco NX-OS), CVE-2024-3400 (Palo Alto Networks PAN-OS), and CVE-2024-21887 (Ivanti Connect Secure), CISA and the FBI are urging business leaders and device manufacturers to eliminate OS command injection vulnerabilities at the source.
“OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS. Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk,” the joint alert reads.
To prevent these types of vulnerabilities, organizations are advised to adopt a secure-by-design approach throughout all products’ lifecycle, reducing the burden on customers and risk to the public, CISA and the FBI say.
Technical leaders, the two agencies say, should ensure that software functions generate commands in safer ways, review their threat models, conduct code reviews, employ modern component libraries, and implement aggressive adversarial product testing.
Software manufacturers are advised to “use built-in library functions that separate commands from their arguments”, to validate and sanitize user input, keep data separate from commands, and limit user input in commands to only what is necessary.
In addition to eliminating OS command injection flaws to take ownership of the customers’ security outcomes, the agencies are urging manufacturers to be transparent when disclosing security defects in their products, to give product security the same importance as cost, make the appropriate investments to promote security, prioritize proactive measures, and ensure that their organizations conduct reviews to identify common vulnerabilities.
“To demonstrate their commitment to building their products to be secure by design, software manufacturers should take the Secure by Design Pledge. The pledge lays out seven key goals that the signers commit to demonstrating measurable progress towards, including reducing systemic classes of vulnerability like OS command injection,” the two agencies note.
Related: US, Allies Publish Guidance on Securing Network Access
Related: US Government Releases Guidance on Securing Election Infrastructure
Related: Microsoft Shares Guidance and Resources for AI Red Teams
Related:New CISA Tool ‘Decider’ Maps Attacker Behavior to ATT&CK Framework