CISA, FBI release secure by design alert to urge manufacturers to eliminate SQL injection vulnerabilities

U.S. security agencies published Monday a joint Secure by Design (SbD) alert in response to a recent, exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. Additionally, the alert highlights the prevalence of this class of vulnerability. Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.

Titled ‘Eliminating SQL Injection Vulnerabilities in Software,’ the alert from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) highlights the dissemination of known CL0P ransomware indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI investigations as of June 2023. The attackers exploited SQL injection defects in a managed file transfer application to target and compromise users, impacting thousands of organizations.

CISA and the FBI urge senior executives at technology manufacturers to mount a formal review of their code to determine its susceptibility to SQL injection compromises and encourage technology customers to ask their vendors whether they have conducted such a review. “If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products. Building security into products from the beginning can eliminate SQLi vulnerabilities,” it added.

SQL injection vulnerabilities typically involve the insertion of user-supplied input directly into an SQL command, allowing threat actors to execute arbitrary queries. These vulnerabilities are caused by software developers’ inattention to security best practices, resulting in the co-mingling of database queries and user-supplied data. The impact of SQL injection exploitation can be devastating as it challenges the confidentiality, integrity, and availability of a database and its information. 

Specifically, the alert added that SQL injection vulnerabilities can allow malicious cyber actors to steal sensitive information, tamper with, delete, or render information unavailable in a database. SQL injections succeed because software developers fail to treat user-supplied content as potentially malicious.

During the design and development of a software product, developers should use parameterized queries with prepared statements to separate SQL code from user-supplied data to prevent this class of vulnerability. This separation ensures the system treats user input as data and not executable code, thereby eliminating the risk of malicious user input being interpreted as an SQL statement. Software manufacturers should systematically eliminate SQLi vulnerabilities by enforcing the use of parameterized queries across their applications.

The alert also noted that while input sanitization may prevent some attacks, those techniques are brittle, difficult to enforce at scale, and frequently can be bypassed. “Parameterized queries, therefore, better embody a secure-by-design approach. CISA and the FBI recommend software manufacturers research the causes and widely known solutions to this predictable and commonly exploited vulnerability,” it added. 

The alert laid down three principles, including taking ownership of customer security outcomes; embracing radical transparency and accountability; and building organizational structure and leadership to achieve these goals. 

Manufacturers must prioritize customer security by investing in key areas to safeguard their customers and the public. This includes providing secure building blocks for software developers to prevent a single error from compromising data for millions of users. 

Additionally, they should standardize the use of prepared statements with parameterized queries in software development, enforced through development libraries that prioritize secure practices and checks during pull requests. By defaulting to parameterized queries, manufacturers and developers can eliminate a significant threat and enhance product security.

The alert also called for manufacturers should lead with transparency when disclosing product vulnerabilities. To that end, manufacturers should track the classes of vulnerability associated with their software and disclose them to their customers via the CVE program. 

Additionally, manufacturers should ensure that their CVE records are correct and complete. It is especially important that manufacturers supply an accurate CWE so the industry can track classes of software defects, not just individual CVEs, and customers can understand areas where a given vendor’s development practices may require improvement. They should also identify and document the root causes of those vulnerabilities and declare it a business goal to work toward eliminating entire classes of vulnerability.

Lastly, the alert said that as software and hardware manufacturing executives care about cost, features, and customer experience, they should also prioritize the security of their products. Leaders must consider the full picture – customers, the economy, and national security are currently bearing the brunt of business decisions to not build security into their products. 

Moreover, directing the business toward secure-by-design software development often reduces financial and productivity costs as well as complexity. Leaders should make the appropriate investments and develop the right incentive structures that promote security as a stated business goal.

The document also noted that leaders should highlight the importance of rooting out entire classes of vulnerabilities rather than addressing them on a case-by-case basis. Additionally, leaders should establish organizational structures that prioritize proactive measures, such as adopting secure coding practices like parameterized queries, to create enduring security and reduce reliance on reactive responses. 

Senior executives should also ensure their organization conducts reviews to detect common and well-known vulnerabilities, like SQL injection, to determine their susceptibility, and implement the existing effective and documented mitigations. These reviews should be continually conducted to root out classes of vulnerability, as some vulnerabilities may change or develop over time.

In December, the CISA released guidance as part of the CISA Secure by Design (SbD) Alert series on the elimination of default passwords to protect customers. The SbD Alert advises technology manufacturers to mitigate the risk of default password exploitation by adopting principles one and three outlined in the joint guidance, ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.’ These principles emphasize taking responsibility for customer security outcomes and establishing organizational structures and leadership to drive these objectives.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.