CISA Urges Software Makers to Eliminate OS Command Injection Flaws

The US government has urged software manufacturers to work towards the elimination of operating system (OS) command injection vulnerabilities.

The alert from the Cybersecurity and Infrastructure Security Agency (CISA) and FBI was issued in response to several high-profile threat actor campaigns in 2024 that exploited OS command injection defects in network edge devices to compromise users.

These vulnerabilities allowed unauthenticated malicious actors to remotely execute code on network edge devices:

  • Chinese state hackers exploited a vulnerability, CVE-2024-20399, to compromise Cisco Nexus switches
  • A critical zero day vulnerability in Palo Alto Networks’ PAN-OS software, CVE-2024-3400, that is being exploited in the wild
  • The zero day vulnerability, CVE-2024-21887, in Ivanti products that was exploited by multiple threat actors globally

The agencies said OS command injection vulnerabilities are “entirely preventable,” arising because of software manufacturers failing to properly validate and sanitize user input when constructing commands to execute on the underlying OS.

“Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk,” the alert stated.

Building a Roadmap for Elimination

The CISA and FBI have urged technology manufacturers to analyze past instances of OS command injection vulnerabilities and develop a plan to eliminate them in the future.

They emphasized that security should be built in from the design phase of software and continue through development, release and updates. This class of vulnerabilities are prevented by clearly separating user input from the contents of a command, the agencies noted.

Actions to focus on include:

  • Use built-in library functions that separate commands from their arguments instead of constructing raw strings that are fed into a general-purpose system command
  • Use input parameterization to keep data separate from commands; validate and sanitize all user-supplied input
  • Limit the parts of commands constructed by user input to only what is necessary

Adopting Security by Design Principles

The new advisory is part of the US government’s focus on promoting software security by design, putting a greater cybersecurity burden on manufacturers. This ambition was set out in the US National Cybersecurity Strategy, published in March 2023.

CISA launched its Secure by Design initiative in line with the strategy, and over 150 manufacturers have signed the Secure by Design pledge, committing them to publicly provide updates on their progress on fulfilling the pledge goals. These include enhancing transparency around the disclosure of product vulnerabilities and reducing entire classes of vulnerabilities.

Speaking to Infosecurity, Jack Cable, Senior Technical Advisor at CISA, said the Secure by Design initiative aims to shift the burden of cybersecurity from those least capable, the end users, to those most able to bear it.

“The focus of our Secure by Design initiative is the technology manufacturers who make the products that underpin pretty much all the digital systems we use and our critical infrastructure. We’re incredibly reliant on these systems but what we’ve seen time and again is that there are relatively basic preventable classes of vulnerabilities in these products that lead to harm,” he explained.

Cable added: “The goal of our Secure by Design initiative is to work with technology manufacturers to help them build products that are secure from the start and are resilient to these common classes of vulnerabilities.”

Before software manufacturers look to develop a roadmap for eventual vulnerability elimination Cable advised them to first undertake an assessment to understand what the most pressing and addressable classes of vulnerabilities are in their products.

Only then can the elimination of preventable classes of vulnerabilities, such as memory safety and OS command injection flaws, be achieved.

“Think in a prioritised manner how you’re going to reduce this class of vulnerability across your product,” he commented.

In February 2024, the White House called on the tech industry to adopt memory safe programming languages, eliminating the majority memory safety vulnerabilities.