CISA and FBI warn about sql injection vulnerabilities
Preventive measures and mitigation strategies against one of the most serious cybersecurity risks
CISA and FBI warn tech companies about the risks of SQL injection, suggesting the use of parameterized queries for security. Despite known countermeasures, attacks persist, highlighting the need for improved security strategies in software.
CISA and the FBI have brought to the attention of technology executives the importance of formally reviewing software products to identify and mitigate SQL injection (SQLi) vulnerabilities before they are released to the market. With SQL injection, attackers inject malicious SQL queries into input fields, exploiting application security gaps to execute unintended SQL commands, such as exfiltration, manipulation, or deletion of sensitive data.
Recommended tools and threat context
Security experts recommend using parameterized queries with crafted statements to prevent SQLi vulnerabilities, as they separate SQL code from user-supplied data, preventing malicious input from being interpreted as SQL commands. This method is preferable to input sanitization, which can be circumvented and is difficult to implement at scale. SQLi vulnerabilities have been identified as the third most dangerous threat according to MITER, preceded only by out-of-bounds writes and cross-site scripting.
Importance of early mitigation of vulnerabilities
The joint CISA and FBI alert follows the series of Clop ransomware attacks, starting in May 2023, that exploited a zero-day SQLi vulnerability in the Progress MOVEit Transfer application, affecting thousands of organizations around the world. Despite the large number of victims, it is estimated that only a limited number of them actually agreed to pay the ransom. This however generated estimated earnings for the criminal group of between 75 and 100 million dollars.
Call to action for improved software security
While the SQLi vulnerability has been widely recognized and documented for over 2 decades, with effective mitigation measures well known, software vendors continue to release products affected by this flaw, exposing numerous users to significant risk. Recently, the White House Office of the National Cyber Director (ONCD) urged technology companies to adopt secure memory management programming languages, such as Rust, to reduce memory security vulnerabilities. Additionally, as early as January, CISA urged manufacturers of home office and small office routers to ensure the security of the devices against ongoing attacks, including those coordinated by the Chinese state-backed hacking group Volt Typhoon.
Follow us on Telegram for more pills like this03/25/2024 19:01
Marco Verro