Skip to main content
close search
site logo
Dive Brief

CISA calls for elimination of OS command injection vulnerabilities

Threat groups target vulnerabilities in widely used network devices. CISA’s latest advisory urges software makers to eliminate them at the source.

Published July 11, 2024
Matt Kapko's headshot
Senior Reporter
CISA, cybersecurity, agency
Photo illustration by Danielle Ternes/Cybersecurity Dive; photograph by yucelyilmaz via Getty Images

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency and FBI advised software vendors to eliminate operating system command injection vulnerabilities from products before they ship. The agencies issued the advisory Wednesday as part of their secure-by-design alert series.
  • Threat groups have exploited several OS command injection vulnerabilities in widely used network devices this year, including CVE-2024-20399 in Cisco products, CVE-2024-21887 in Ivanti remote access VPNs and CVE-2024-3400 in Palo Alto Networks firewalls. 
  • “OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS,” CISA and the FBI said in the advisory. 

Dive Insight:

Federal authorities spotlighted the unresolved impact of OS command injection vulnerabilities to showcase another example of software vendors shipping products without proper controls. Internal development practices that undercut security are common in the technology industry and CISA is trying to end that practice through its secure-by-design initiative.

“Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk,” CISA and the FBI said in the advisory.

The agencies advised business leaders at technology manufacturers to analyze past occurrences of the class of defect and develop a plan to eliminate them in the future. CISA also encouraged software manufacturers to sign the secure-by-design pledge, which 162 companies have signed since the agency unveiled the voluntary measure in May.

CISA and its stakeholders were directly impacted by an exploited OS command injection vulnerability in Ivanti remote access VPNs, which the agency was using in January at the time of the attack.

Following an investigation into the intrusion, CISA said it found no evidence of data theft or lateral movement, but last month warned it can’t rule out data was stolen from the agency’s Chemical Security Assessment Tool during the attack targeting the agency’s systems.

For years, CISA has urged the software industry to embrace the use of memory-safe programming languages and eliminate entire classes of vulnerabilities, including cross-site scripting, SQL injection, and directory traversal defects. Yet, unsafe software development practices persist.

The agency unveiled secure-by-design principles in April 2023 and consistently shares its vision for how manufacturers should incorporate security into their products and practices.

CISA's efforts to change long-ingrained software development practices and shift the burden of security responsibility from customers to vendors are vexed by the agency's non-regulatory status.

Editors' picks

Company Announcements

View all | Post a press release
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell