CISA and the FBI urged executives at technology manufacturing companies to encourage formal reviews of their organizations’ software and implement mitigation measures to remove SQL injection (SQLi) security vulnerabilities before shipping.
In SQL injection attacks, threat actors “inject” maliciously crafted SQL queries into input fields or parameters used in database queries, exploiting vulnerabilities in application security to execute unwanted SQL commands, such as exfiltrating, manipulating, or deleting sensitive data stored in database.
This can lead to unauthorized access to confidential data, data breaches, and even complete takeover of targeted systems due to improper input validation and sanitization in web applications or software that interact with targeted databases.
CISA and the FBI advise using parameterized queries with prepared statements to prevent SQL injection (SQLi) vulnerabilities. This approach separates the SQL code from the user data, making it impossible for malicious input to be interpreted as an SQL statement.
Parameterized queries are a better option for a safe-by-design approach compared to input sanitization techniques because the latter can be circumvented and are difficult to implement in large numbers.
SQLi vulnerabilities ranked third on MITER’s list of the 25 most dangerous weaknesses plaguing software between 2021 and 2022, surpassed only by out-of-bounds writing and cross-site scripting.
“If they discover that their code has vulnerabilities, senior executives should ensure that their organizations’ software developers immediately begin implementing mitigation measures to eliminate this entire class of flaws from all current and future software products,” CISA and the FBI said [PDF].
“Incorporating this mitigation early on—starting in the design phase and continuing through development, release, and updates—reduces the cybersecurity burden on users and the risk to the public.”
CISA and the FBI issued this joint alert in response to the Clop ransomware hack that began in May 2023 and targeted an SQLi zero-day vulnerability in the managed file transfer application Progress MOVEit Transfer, affecting thousands of organizations worldwide.
Multiple US federal agencies and two US Department of Energy (DOE) entities were also victims of these data theft attacks.
Despite the vast number of victims, Coveware’s estimates suggest that only a limited number of victims are likely to agree to Clop’s ransom demands.
Regardless, the cybercrime group likely collected an estimated $75-100 million in payouts due to high ransom demands.
“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigation measures, software vendors continue to develop products with this flaw, which puts many users at risk,” the two agencies said Monday.
“Vulnerabilities such as SQL have been considered by others as ‘unforgivable’ vulnerabilities since at least 2007. Despite this finding, SQL vulnerabilities (such as CWE-89) are still the predominant class of vulnerabilities.”
Last month, the White House Office of the National Cyber Command (ONCD) urged technology companies to switch to memory-safe programming languages (such as Rust) to improve software security by reducing the number of memory security vulnerabilities.
In January, CISA also asked manufacturers of small office/home (SOHO) routers to ensure their devices are protected against ongoing attacks, including those coordinated by the Chinese state-backed hacking group Volt Typhoon.