The federal government is putting pressure on software makers to ensure that their products don’t include SQL injection vulnerabilities, a longtime and ongoing threat that was put in the spotlight with last year’s far-reaching hack of Progress Software’s MOVEit managed file transfer tool.
CISA and the FBI this week issued an alert urging tech manufacturer executives to formally review their code to determine how susceptible it is to SQL injection – also known as SQLi – exploitation and encouraging organizations using the technology to ensure that their vendors have conducted such an assessment.
“If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products,” the agencies wrote. “Building security into products from the beginning can eliminate SQLi vulnerabilities.”
The push is part of the government’s larger Secure by Design initiative to encourage software makers to consider security throughout the entire development lifecycle – from design and development through releases and updates – and to shift the responsibility for security from the users of tech products to the vendors.
In the case of SQL injection vulnerabilities, the threat – and mitigation steps – has been known about for two decades. Despite this, “software manufacturers have continued to develop products with this defect, which puts many customers at risk,” they wrote.
“SQLi vulnerabilities are caused by software developers’ inattention to security best practices, resulting in the co-mingling of database queries and user-supplied data,” the agencies wrote. “The impact of successful SQLi exploitation can be devastating as it challenges the confidentiality, integrity, and availability of a database and its information.”
SQLi vulnerabilities allow for user-supplied input to be directly inserted into SQL commands, which leads to the execution of arbitrary queries. Attackers can hijack back-end processes and steal or delete sensitive information from databases, spoof identities, cause repudiation issues like voiding transactions or changing balances, and become administrators of a database server.
“SQL Injection has become a common issue with database-driven web sites,” according to OWASP, a nonprofit for improving software security. “The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.”
The organization said that the “attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.”
According to market research firm Statista, SQL injection was the main source of web critical vulnerabilities around the world in 2023, accounting for 23% of such flaws and just ahead of malicious file uploads at 22.7%. MITRE ranked it in the top 25 of the most dangerous and stubborn software weaknesses last year.
That may have been a result of the vulnerabilites in the MOVEit file transfer software, which was widely exploited last year by the Cl0p ransomware group starting in the spring. The threat actors were able to hack into the solution and steal data. Between May 31 and June 15, Progress issued patches for three critical vulnerabilities. In the middle of those weeks, Cl0p claimed responsibility for exploiting the flaws.
According to endpoint security vendor Emsisoft, 2,769 organizations and almost 95 million individuals have been affected by the attacks.
CISA and the FBI wrote that developers, during the design and development of software, should use parameterized queries, which provide parameters to queries, put values on those queries, and then execute them. This separates SQL code from user-supplied data to prevent SQL injection vulnerabilities.
“This separation ensures the system treats user input as data and not executable code, thereby eliminating the risk of malicious user input being interpreted as a SQL statement,” the agencies wrote, noting that some developers want to use input sanitization techniques instead. “While input sanitization may prevent some attacks, those techniques are brittle, difficult to enforce at scale, and frequently can be bypassed. Parameterized queries therefore better embody a secure by design approach.”
They also said organizations should embrace three principles of secure-by-design environments: Taking ownership of customer security, embracing transparency and accountability, and installing a structure and leadership that can make this happen.
Recent Articles By Author