The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert urging software companies to review and eliminate OS command injection vulnerabilities in their products before shipping.

The call comes in response to recent cyberattacks that exploited multiple security flaws (CVE-2024-20399, CVE-2024-3400, and CVE-2024-21887), targeting network edge devices from Cisco, Palo Alto Networks, and Ivanti.

CVE-2024-20399 is an OS command injection issue that allows a local user to escalate privileges on the system and execute arbitrary commands as root on the underlying operating system of an affected device.

The flaw was exploited as zero-day in a campaign by the China-linked Velvet Ant espionage group targeting Cisco Nexus devices.

The advisory outlines the nature of OS command injection vulnerabilities, which occur when software does not adequately validate and sanitize user input in commands executed on the underlying operating system. The lack of proper validation allows threat actors to execute malicious commands, significantly endangering customers.

CISA has strongly recommended that developers adopt well-known mitigations to prevent these vulnerabilities during the design and development of software products.

Key recommendations include:

• Ensure software uses functions that generate commands in safer ways by preserving the intended syntax of the command and its arguments,

• Review their threat models,

• Use modern component libraries,

• Conduct code reviews and implement aggressive adversarial product testing to ensure the quality and security of their code throughout the development lifecycle.

“OS command injection vulnerabilities have long been preventable by clearly separating user input from the contents of a command. Despite this finding, OS command injection vulnerabilities—many of which result from CWE-78—are still a prevalent class of vulnerability,” the agency said.