The Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the Federal Bureau of Investigations (FBI) has jointly issued a Secure by Design Alert in response to threat actor campaigns that exploit operating system (OS) command injection defects in network edge devices.

The alert notes these vulnerabilities, which allow unauthenticated malicious actors to remotely execute code on network edge devices, are preventable. The providers of network edge devices should not be designing and developing software that trusts user input without proper validation or sanitization, the alert advises.

OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command. Manufacturers of network edge devices should only use built-in library functions that separate commands from their arguments instead of constructing raw strings that are fed into a general-purpose system command.

They should also limit the parts of commands constructed by user input to only what is necessary and use input parameterization to keep data separate from commands to ensure user-supplied input is validated and sanitized.

CISA and FBI are specifically urging CEOs and other business leaders of suppliers of IT platforms to request their technical leaders in compliance with a set of Secure by Design principles defined by CISA and other cybersecurity agencies to analyze past occurrences of this class of defect and develop a plan to eliminate them in the future. At its core, the Secure by Design principles and the authoring organizations urge manufacturers to take a holistic approach to security that requires a strategic investment of dedicated resources at each layer of the product design and development process rather than bolting capabilities on later.

Mitch Ashley, a technology practice adviser for application security for The Futurum Group, said the alert is a call to ensure best DevSecOp practices are followed when building software. Given the ease at which software can be exploited, every development team and business leader should be pledging to follow Secure by Design principles, he added.

It’s not clear to what degree government agencies are committed to replacing platforms that don’t comply with the Secure by Design principles, but cybersecurity professionals should create their own inventory of platforms that don’t comply. That list should then be shared with business and IT leaders to better prioritize future upgrades to either existing platforms or justify a decision to replace that platform with one that is inherently more secure.

Cybersecurity teams should also assume that cybercriminals are closely following CISA alerts. Many of them are already scanning for opportunities to exploit operating system command injection vulnerabilities at a time when many organizations lack the resources required to successfully defend what has become an overly extended attack surface.

In the meantime, a conversation with the teams that manage platforms running these operating systems at the network edge is clearly warranted. Many of them are managed by operations technology (OT) teams that often have little in the way of formal cybersecurity training. As always, however, it will inevitably be the cybersecurity team that will be held accountable for any breach that occurs regardless of who might actually be at fault.