CISA, FBI Warn of OS Command-Injection Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a critical alert urging software developers to focus on removing weaknesses that allow unauthorized users to run harmful commands on operating systems (OSes).

The "Secure by Design Alert" notes that despite being preventable, OS command-injection vulnerabilities continue to surface. Recent high-profile campaigns have exploited OS command-injection defects in network edge devices. Most recently, Cisco patched a command-line injection flaw in its NX-OS software. The bug, CVE-2024-20399, allows authenticated attackers to execute arbitrary commands and has already been exploited by China-backed threat group Velvet Ant.

OS command-injection vulnerabilities occur when software fails to properly validate and sanitize user inputs. This can lead to system takeovers, unauthorized execution of code, and data leaks. CISA and the FBI are urging technology manufacturers to adopt a secure-by-design approach to eliminate these types of vulnerabilities at the source.

In the alert, CISA and the FBI call on business leaders to prioritize the security of their products by integrating OPSEC principles into their development processes. They recommend several measures, including using safer command-generation functions, reviewing threat models, using modern component libraries, conducting thorough code reviews, and implementing aggressive adversarial product testing throughout the development life cycle.