Uncle Sam’s had it up to here with ‘unforgivable’ SQL injection flaws

The US has clearly had enough of software vendors shipping products with “unforgivable” vulnerabilities, and is now urging them to launch formal code reviews to stamp out SQL injection flaws.

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a Secure by Design Alert on Monday, reminding the tech community that there is no excuse for the decades-old vulnerability type to still be causing issues today.

They cited the MOVEit supply chain attacks from last year, ones enabled by a SQL injection zero day, as an example of the damage such issues can cause.

Defunct ransomware and extortion outfit Cl0p was responsible for the MOVEit MFT attacks last year. Cybersecurity biz Emsisoft set up a web page to track the number of victims and despite Progress Software releasing patches fairly quickly, the group was responsible for breaches at 2,769 organizations, as of this week’s data. This meant that around 95 million individuals have been affected so far.

The call from authorities extends to software vendors’ customers too. They’ve been advised to hold their vendors to account by asking them if a formal code review into a product’s susceptibility to SQL injection exploits has occurred and what mitigations have been put in place.

SQL injection vulnerabilities exist where developers allow user-input data to be supplied to a database directly as a SQL command.

This can then lead to all manner of nastiness, including the modification or deletion of database content, reading and/or stealing that content, and performing various admin commands.

Cybersecurity authorities, including but not limited to CISA, have been calling for secure-by-design programming practices to be the norm for well over a decade, and those efforts continue today.

Both CISA and the FBI said in the alert [PDF] that SQL injection vulnerabilities should be eradicated from the beginning of the development process by focusing on security from the outset.

“Secure by Design means that manufacturers design and build their products in a way that reasonably protects against malicious cyber actors successfully exploiting product defects,” the alert reads.

“Incorporating this mitigation at the outset – beginning in the design phase and continuing through development, release, and updates – reduces the burden of cybersecurity on customers and risk to the public.

“Vulnerabilities like SQLi have been considered by others an ‘unforgivable’ vulnerability since at least 2007. Despite this finding, SQL vulnerabilities (such as CWE-89) are still a prevalent class of vulnerability. For example, CWE-89 is on top 25 lists for both the most dangerous and stubborn software weaknesses in 2023.”

Software vendors have been advised to use parameterized queries with prepared statements to mitigate SQL injection vulnerabilities. According to the authorities, these allow user-input data to be separated from SQL queries and “better embody a secure by design approach” compared to input sanitization techniques.

These are deployed by some vendors, but were branded “brittle” by CISA and the FBI. They said they’re also difficult to deploy on a large scale and are more easily bypassed.

In addition to adopting secure by design principles, the authorities urged vendors to be transparent when it comes to disclosing vulnerabilities to customers. 

Using the CVE program allows customers to track and manage their exposure to software vulnerabilities, and specifying the correct CVE means the wider industry can track the vendor itself for any common themes with the issues they disclose, and hold them to account for any development processes that need improving.

It’s not just the security of a single piece of software that’s at stake, CISA and the FBI argue. Software that’s secured from the outset protects the wider economy and saves costs in the long run.

“Leaders must consider the full picture: That customers, our economy, and our national security are currently bearing the brunt of business decisions to not build security into their product – as the [MOVEit MFT] campaign described earlier and this Alert clearly reflects,” they said.

“Moreover, directing the business toward secure by design software development often reduces financial and productivity costs as well as complexity. Leaders should make the appropriate investments and develop the right incentive structures that promote security as a stated business goal.” ®

READ MORE HERE