March 25, 2024 at 02:28PM
CISA and FBI advised technology manufacturing executives to conduct formal software reviews and implement mitigations to eliminate SQL injection (SQLi) vulnerabilities. SQL injection attacks enable unauthorized access to sensitive data and can lead to data breaches and system takeover. They recommend using parameterized queries with prepared statements as a secure solution. The joint alert was issued in response to a Clop ransomware hacking spree targeting a SQLi vulnerability in the Progress MOVEit Transfer app, affecting numerous organizations globally. The agencies highlighted the continued prevalence of SQLi vulnerabilities and encouraged the adoption of memory-safe programming languages to improve software security.
From the meeting notes, the key takeaways are:
1. CISA and the FBI are urging technology manufacturing companies to conduct formal reviews of their software and implement mitigations to eliminate SQL injection (SQLi) security vulnerabilities before shipping.
2. The use of parameterized queries with prepared statements is advised to prevent SQL injection vulnerabilities, as it separates SQL code from user data, making it impossible for malicious input to be interpreted as an SQL statement.
3. SQLi vulnerabilities have been identified as the third most dangerous weakness in software, leading to unauthorized access to confidential data, data breaches, and potential complete system takeovers.
4. The joint alert was issued in response to a Clop ransomware hacking spree that targeted a zero-day SQLi vulnerability, affecting thousands of organizations worldwide and leading to data theft attacks on multiple U.S. federal agencies and U.S. Department of Energy entities.
5. Despite widespread knowledge and documentation of SQLi vulnerabilities, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, posing a significant risk to customers.