CISA and the FBI urged executives of technology manufacturing companies to prompt formal reviews of their organizations’ software and implement mitigations to eliminate SQL injection (SQLi) security vulnerabilities before shipping.
In SQL injection attacks, threat actors “inject” maliciously crafted SQL queries into input fields or parameters used in database queries, exploiting vulnerabilities in the application’s security to execute unintended SQL commands, such as exfiltrating, manipulating, or deleting sensitive data stored in the database.
This can lead to unauthorized access to confidential data, data breaches, and even a complete takeover of the targeted systems because of improper input validation and sanitization in web applications or software that interact with the targeted databases.
CISA and the FBI advise the use of parameterized queries with prepared statements to prevent SQL injection (SQLi) vulnerabilities. This approach separates SQL code from user data, making it impossible for malicious input to be interpreted as an SQL statement.
Parameterized queries are a better option for a secure-by-design approach compared to input sanitization techniques because the latter can be bypassed and are difficult to enforce at scale.
SQLi vulnerabilities took the third spot in MITRE’s top 25 most dangerous weaknesses plaguing software between 2021 and 2022, only surpassed by out-of-bounds writes and cross-site scripting.
“If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products,” CISA and the FBI said [PDF].
“Incorporating this mitigation at the outset—beginning in the design phase and continuing through development, release, and updates—reduces the burden of cybersecurity on customers and risk to the public.”
CISA and the FBI issued this joint alert in response to a Clop ransomware hacking spree that started in May 2023 and targeted a zero-day SQLi vulnerability in the Progress MOVEit Transfer managed file transfer app, affecting thousands of organizations worldwide.
Multiple U.S. federal agencies and two U.S. Department of Energy (DOE) entities have also been victims of these data theft attacks.
Despite the vast victim pool, estimates from Coveware suggested that only a limited number of victims were likely to yield to Clop’s ransom demands.
Nonetheless, the cybercrime gang has likely collected an estimated $75-100 million in payments due to the high ransom requests.
“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk,” the two agencies said on Monday.
“Vulnerabilities like SQLi have been considered by others an ‘unforgivable’ vulnerability since at least 2007. Despite this finding, SQL vulnerabilities (such as CWE-89) are still a prevalent class of vulnerability.”
Last month, the White House Office of the National Cyber Director (ONCD) urged tech companies to switch to memory-safe programming languages (like Rust) to improve software security by reducing the number of memory safety vulnerabilities.
In January, CISA also asked manufacturers of small office/home office (SOHO) routers to ensure their devices are secure against ongoing attacks, including those coordinated by the Volt Typhoon Chinese state-backed hacking group.