OS command injection vulnerabilities are a preventable type of weakness in software. Manufacturers can eliminate them by taking a secure design approach. Despite efforts, these vulnerabilities still appear, allowing adversaries to exploit them for harm.
CISA and FBI are releasing this Alert because of recent well-known attacks that took advantage of OS command injection flaws in network devices (CVE-2024-20399, CVE-2024-3400, CVE-2024-21887). These vulnerabilities allowed attackers to remotely execute code on the devices.
By infosecbulletin
/ Tuesday , October 29 2024
The Indian Cyber Crime Coordination Centre (I4C) has warned about illegal payment gateways set up by transnational cyber criminals using...
Read More
By infosecbulletin
/ Monday , October 28 2024
With a festive look and the participation of more than one hundred participants from Bangladesh cyber industry, another successful cyber...
Read More
By infosecbulletin
/ Monday , October 28 2024
Fazle Hassan Anik hacked girls' Facebook accounts to steal sensitive pictures, which he used to blackmail them for money. He...
Read More
By infosecbulletin
/ Sunday , October 27 2024
Bangladeshi Social media posts have raised concerns about unauthorized withdrawals from bank accounts, affecting at least 7 to 8 people...
Read More
By infosecbulletin
/ Friday , October 25 2024
Cybersecurity researcher Jeremiah Fowler found a non-password-protected database with 115,000 records linked to the UN Trust Fund to End Violence...
Read More
By infosecbulletin
/ Friday , October 25 2024
Cisco announced updates on Wednesday to fix a security flaw in its Adaptive Security Appliance (ASA) that is currently being...
Read More
By infosecbulletin
/ Wednesday , October 23 2024
White hat hackers at the Pwn2Own Ireland 2024 contest by Trend Micro's Zero Day Initiative earned $500,000 on the first...
Read More
By infosecbulletin
/ Tuesday , October 22 2024
In today's rapidly changing cybersecurity environment, organizations encounter numerous complex threats targeting endpoints and networks. CrowdStrike and Fortinet have partnered...
Read More
By infosecbulletin
/ Tuesday , October 22 2024
Sophos, based in the UK, is to acquire Secureworks, a Nasdaq-listed company, for $859 million in cash from Dell Technologies....
Read More
By infosecbulletin
/ Monday , October 21 2024
The Internet Archive was breached again, this time through their Zendesk email support platform, following warnings that threat actors had...
Read More
OS command injection vulnerabilities occur when manufacturers do not correctly validate and sanitize user input when creating commands to run on the operating system. Creating software that blindly trusts user input without proper validation or sanitization can enable attackers to execute harmful commands, endangering customers.
CISA and FBI want CEOs and business leaders at technology companies to ask their technical teams to analyze past issues and make a plan to prevent them in the future.
To further prevent these vulnerabilities, technical leaders should:
Ensure software uses functions that generate commands in safer ways by preserving the intended syntax of the command and its arguments
Review their threat models
Use modern component libraries
Conduct code reviews
And implement aggressive adversarial product testing to ensure the quality and security of their code throughout the development lifecycle.
To read the full report click here.