Following March’s Patch Tuesday updates, it’s important that we don’t forget equally critical patches released earlier in the month.
One of the more unique vulnerability disclosures was from Cisco regarding a flaw in their IOx Application Hosting Environment. This proprietary hosting environment allows, among other things, application connectivity and development in IOT-focused services within the “fog” – the area between IOT devices and the cloud.
The vulnerability could be exploited, allowing an attacker to deploy an application in the hosting environment. The application then could allow for commands to be executed as root on the host operating system.
Command injection is a common vulnerability landing it on the #3 spot of the OWASP Top Ten vulnerabilities. Command injection can occur when user-supplied data is not validated, filtered, or sanitized by the application, dynamic queries are executed, or hostile data is directly used or concatenated. In the case of this vulnerability, parameters sent to the control plane of the hosting environment were incompletely sanitized, allowing the activation of an application with a malicious payload.
There are several effective measures to mitigate or eliminate command injection vulnerabilities. One, all input data should be validated and sanitized. If the input data conforms to a specific format (such as a phone number), care should be taken to validate the input. Even a simple regex will go a long way to add a layer of protection against a command injection attack.
Second, use safe APIs and libraries that have command injection protection included. For example, using prepared SQL statements instead of dynamically created SQL statements will provide a measure of protection against command injection.
Third, reduce the blast radius of a command injection exploit by the principle of least privilege. In a case where a command injection vulnerability is exploited, if the host has only a limited set of privileges, it will limit the damage the command can perform.
What’s also interesting about this Cisco vulnerability is that it was discovered by security researchers. Security researchers are often contracted to evaluate the security of a given system with the goal of ensuring that the system is safe. They use different techniques – reverse engineering, penetration testing, etc. – to attempt to discover security vulnerabilities. Most development organizations lack this type of expertise and must rely on secure coding practices to minimize the attack surface of their applications.
Since secure coding practices are usually outside the educational scope of most developers, it’s critical that organizations provide training, assessments, automation, and other processes to ensure the highest quality and resilient software is produced.
Discover how Security Journey can support your organization’s secure coding training program with AppSec education.