CISA and the FBI urged executives of expertise manufacturing corporations to immediate formal critiques of their organizations’ software program and implement mitigations to get rid of SQL injection (SQLi) safety vulnerabilities earlier than delivery.
In SQL injection assaults, menace actors “inject” maliciously crafted SQL queries into enter fields or parameters utilized in database queries, exploiting vulnerabilities within the software’s safety to execute unintended SQL instructions, akin to exfiltrating, manipulating, or deleting delicate knowledge saved within the database.
This may result in unauthorized entry to confidential knowledge, knowledge breaches, and even an entire takeover of the focused programs due to improper enter validation and sanitization in internet purposes or software program that work together with the focused databases.
CISA and the FBI advise using parameterized queries with ready statements to stop SQL injection (SQLi) vulnerabilities. This method separates SQL code from consumer knowledge, making it unattainable for malicious enter to be interpreted as an SQL assertion.
Parameterized queries are a greater choice for a secure-by-design method in comparison with enter sanitization methods as a result of the latter might be bypassed and are troublesome to implement at scale.
SQLi vulnerabilities took the third spot in MITRE’s high 25 most harmful weaknesses plaguing software program between 2021 and 2022, solely surpassed by out-of-bounds writes and cross-site scripting.
“In the event that they uncover their code has vulnerabilities, senior executives ought to guarantee their organizations’ software program builders instantly start implementing mitigations to get rid of this whole class of defect from all present and future software program merchandise,” CISA and the FBI stated [PDF].
“Incorporating this mitigation on the outset—starting within the design part and persevering with by growth, launch, and updates—reduces the burden of cybersecurity on clients and danger to the general public.”
CISA and the FBI issued this joint alert in response to a Clop ransomware hacking spree that began in Could 2023 and focused a zero-day SQLi vulnerability within the Progress MOVEit Switch managed file switch app, affecting 1000’s of organizations worldwide.
A number of U.S. federal companies and two U.S. Division of Vitality (DOE) entities have additionally been victims of those knowledge theft assaults.
Regardless of the huge sufferer pool, estimates from Coveware advised that solely a restricted variety of victims have been prone to yield to Clop’s ransom calls for.
Nonetheless, the cybercrime gang has probably collected an estimated $75-100 million in funds as a result of excessive ransom requests.
“Regardless of widespread information and documentation of SQLi vulnerabilities over the previous 20 years, together with the supply of efficient mitigations, software program producers proceed to develop merchandise with this defect, which places many shoppers in danger,” the 2 companies stated on Monday.
“Vulnerabilities like SQLi have been thought-about by others an ‘unforgivable’ vulnerability since at the least 2007. Regardless of this discovering, SQL vulnerabilities (akin to CWE-89) are nonetheless a prevalent class of vulnerability.”
Final month, the White Home Workplace of the Nationwide Cyber Director (ONCD) urged tech corporations to change to memory-safe programming languages (like Rust) to enhance software program safety by decreasing the variety of reminiscence security vulnerabilities.
In January, CISA additionally requested producers of small workplace/residence workplace (SOHO) routers to make sure their units are safe towards ongoing assaults, together with these coordinated by the Volt Storm Chinese language state-backed hacking group.