CISA and the FBI have advised technology manufacturing company executives to conduct thorough reviews of their software and take necessary measures to address SQL injection vulnerabilities before shipping.
SQL injection attacks involve malicious actors inserting harmful SQL queries into input fields or parameters used in database queries. By exploiting weaknesses in the application’s security, these attackers can execute unintended SQL commands, potentially accessing, altering, or removing sensitive data stored in the database.
Improper input validation and sanitization in web applications or software interacting with databases can result in unauthorized access to sensitive data, data breaches, or complete system takeovers.
CISA’s Recommendations to Prevent SQL Injection Vulnerabilities
To prevent SQL injection vulnerabilities, CISA and the FBI recommend using parameterized queries with prepared statements. This technique effectively separates SQL code from user data, ensuring that malicious input cannot be interpreted as an SQL statement.
When aiming for a secure-by-design approach, parameterized queries are a superior choice compared to input sanitization techniques. The reason is that input sanitization can be bypassed and is challenging to enforce on a large scale.
According to MITRE’s rankings of the most dangerous weaknesses in software from 2021 to 2022, SQL injection vulnerabilities ranked third. They were only surpassed by out-of-bounds writes and cross-site scripting in terms of severity.
“If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products,”
“Incorporating this mitigation at the outset—beginning in the design phase and continuing through development, release, and updates—reduces the burden of cybersecurity on customers and risk to the public.”
CISA and the FBI said.
CISA and the FBI have collaborated to issue a joint alert in response to a series of hacking incidents involving the Clop ransomware. These attacks began in May 2023 and exploited a zero-day SQL injection vulnerability in the Progress MOVEit Transfer managed file transfer application, impacting numerous organizations worldwide.
Among the victims of these data theft attacks are multiple U.S. federal agencies and two entities within the U.S. Department of Energy (DOE).
Despite a significant number of organizations being affected, estimates from Coveware suggest that only a limited portion of the victims are likely to comply with Clop’s ransom demands.
Nonetheless, the cybercrime gang has likely collected an estimated $75-100 million in payments due to the high ransom requests.
“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk,”
“Vulnerabilities like SQLi have been considered by others an ‘unforgivable’ vulnerability since at least 2007. Despite this finding, SQL vulnerabilities (such as CWE-89) are still a prevalent class of vulnerability.”
The two agencies said on Monday.
Additionally, in January, CISA called upon manufacturers of small office/home office (SOHO) routers to prioritize the security of their devices. This request was made in light of ongoing attacks, including those orchestrated by the Volt Typhoon hacking group, which has ties to the Chinese state.
