Yesterday, CISA and the FBI released a Secure by Design Alert, Eliminating OS Command Injection Vulnerabilities, in response to recent well-publicized threat actor campaigns that exploited OS command injection defects in network edge devices to target and compromise users. This was seen in CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887, which vulnerabilities allowed unauthenticated malicious actors to remotely execute code on network edge devices. See WaterISAC previous coverage of the recent vulnerabilities in network edge devices, as well as the Palo Alto Network Vulnerability, CVE-2024-3400.
OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS. Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk.
CISA and the FBI urge CEOs and other business leaders at technology manufacturers to request their technical leaders to analyze past occurrences of this class of defect and develop a plan to eliminate them in the future. For more information about secure by design principles, visit CISA’s Secure by Design webpage.