Secure by Design: OS-Command-Injection im Visier von CISA und FBI
Under the "Secure by Design" brand, CISA and the FBI publish a loose series of tips and advice that companies can use to create more secure software.
In the "Secure by Design" campaign, the US (IT) security authorities CISA and FBI point out common types of vulnerabilities in software and how to avoid them. Now the IT experts have taken a closer look at "OS Command Injection". Due to insufficient filtering of transferred data, for example, attackers can inject commands that are passed on to the operating system and executed there.
This type of vulnerability can be prevented by a "secure by design" approach, the authorities explain. Nevertheless, vulnerabilities continue to emerge that malicious actors abuse to cause mischief. The current publication is a reaction to recent attacks by known cyber gangs on OS command injection vulnerabilities in edge devices that targeted and compromised users. As examples, the authors cite a vulnerability in Cisco's NX-OS that has been under attack since April, such vulnerabilities in the PAN-OS operating system of Palo Alto firewalls or in Ivanti's Connect and Policy Secure.
Code smuggling onto edge devices
What these vulnerabilities have in common is that they allow attackers to execute code on network edge devices. "OS command injection vulnerabilities occur when manufacturers fail to adequately check and filter user input used in the composition of commands to the underlying operating system," the authors explain.
Software manufacturers should therefore ensure that the programs use more secure functions to create commands that consider the intended syntax of the command and its arguments. A cheat sheet from OWASP can help with this. In addition, developers should review the underlying threat model, use modern component libraries, perform code reviews and finally carry out aggressive product testing throughout the entire development process to ensure the quality and security of their code.
The IT experts provide even more specific advice on how to create more secure software. For example, developers should use built-in library functions that separate commands from arguments rather than creating "raw strings" that are passed to a system command. They should also use input parameterization to separate data and commands, checking and filtering the input. In addition, the parts of the command that are compiled should be limited to the absolutely necessary user input. Some vivid code examples for Python follow.
Read also
Meanwhile, the FBI and CISA have already published five guides as part of the "Secure by Design" campaign. They cover topics such as protection against phishing, declaring war on default passwords in IT devices and explaining measures against SQL injection gaps and directory traversal security leaks. Around 60 companies have now pledged to become "Secure by Design".
(dmk)