​CISA and the FBI urged software companies on Wednesday to review their products and eliminate path OS command injection vulnerabilities before shipping.

The advisory was released in response to recent attacks that exploited multiple OS command injection security flaws (CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887) to compromise Cisco, Palo Alto, and Ivanti network edge devices.

Velvet Ant, the Chinese state-sponsored threat actor that coordinated these attacks, deployed custom malware to gain persistence on hacked devices as part of a cyber espionage campaign.

“OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS,” today’s joint advisory explains.

“Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk.”

CISA advises developers to implement well-known mitigations to prevent OS command injection vulnerabilities at scale while designing and developing software products:

• Use built-in library functions that separate commands from their arguments whenever possible instead of constructing raw strings fed into a general-purpose system command.
• Use input parameterization to keep data separate from commands; validate and sanitize all user-supplied input.
• Limit the parts of commands constructed by user input to only what is necessary.

Tech leaders should be actively involved in the software development process. They can do this by ensuring that the software uses functions that generate commands safely while preserving the command’s intended syntax and arguments.

Additionally, they should review threat models, use modern component libraries, conduct code reviews, and implement rigorous product testing to ensure the quality and security of their code throughout the development lifecycle.

“OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command. Despite this finding, OS command injection vulnerabilities—many of which result from CWE-78—are still a prevalent class of vulnerability,” CISA and the FBI added.

“CISA and FBI urge CEOs and other business leaders at technology manufacturers to request their technical leaders to analyze past occurrences of this class of defect and develop a plan to eliminate them in the future.”

OS command injection security bugs took the fifth spot in MITRE’s top 25 most dangerous software weaknesses, surpassed only by out-of-bounds write, cross-site scripting, SQL injection, and use-after-free flaws.

In May and March, two other “Secure by Design” alerts urged tech executives and software developers to weed out path traversal and SQL injection (SQLi) security vulnerabilities.