Technology companies continue to produce software at risk of SQL injection flaws, even though the problem (and how to prevent it) has been known for years, according to a warning from CISA and the FBI.
SQL injection (or SQLi) vulnerabilities remain a common class of software flaws, despite widespread awareness of the problem over the past two decades, along with ways to address it, the agencies said.
“Software manufacturers have continued to develop products with this defect, putting many customers at risk,” the alert said.
CISA and the FBI said they issued the alert in response to a recent campaign in which attackers exploited SQLi flaws in a managed file transfer application to attack and compromise users, affecting thousands of organizations.
Last year, the CL0P ransomware gang exploited a previously unknown SQL injection vulnerability in Progress Software's managed file transfer software known as MOVEit Transfer.
Internet-facing MOVEit Transfer web applications were infected with a web shell, which was then used to steal data from the underlying MOVEit Transfer databases, and high-profile organizations were victims, including the BBC and US federal agencies. .
The agencies said senior executives at technology companies should conduct a formal review of their code to determine whether it is susceptible to SQLi flaws. They added that customers should also ask their suppliers if they have performed such a review.
If executives discover that their code has these vulnerabilities, software developers should immediately begin working on mitigations to eliminate the flaws from all current and future software products, they said.
Vulnerabilities like SQLi were considered “unforgivable” as early as 2007, CISA noted. But despite this, they remain a common kind of vulnerability. For example, CWE-89 is among the top 25 lists of most dangerous and persistent software weaknesses in 2023, ranking number three on both.
How are SQL injection flaws exploited?
SQL injection vulnerabilities involve the insertion of user-supplied input directly into an SQL command.
The CWE-89 listing explains the problem when a user's data can be used to deliberately alter query logic to bypass security controls, or to insert additional statements that modify the back-end database, possibly including execution of system commands.
“SQL injection has become a common problem in database-driven websites. The flaw is easily detected and exploited and, as such, any site or product package with even a minimal user base is likely to be subject to such an attack attempt. “This flaw depends on the fact that SQL makes no real distinction between the control and data planes,” he notes.
The alert from the FBI and CISA has a more strident tone.
“SQLi vulnerabilities are caused by software developers' lack of attention to security best practices, resulting in the mixing of database queries and user-provided data,” he said.
“Specifically, SQLi vulnerabilities can allow malicious cyberattackers to steal sensitive information, alter it, delete it, or make the information unavailable in a database. “SQL injections are successful because software developers do not treat user-provided content as potentially malicious.”
How to mitigate SQL injection failures
To avoid SQL injections, developers should use parameterized queries with prepared statements to separate SQL code from user-supplied data, according to CISA.
This means that the system treats user input as data and not executable code, eliminating the risk that any malicious user input could be understood as an SQL statement.
“Software manufacturers should systematically eliminate SQLi vulnerabilities by enforcing the use of parameterized queries in all their applications,” the agencies said.
They noted that some developers try to use “input sanitization techniques” to prevent SQLi vulnerabilities. While this can stop some attacks, “those techniques are fragile, difficult to apply at scale and can often be circumvented.”
CISA and the FBI said that technology companies should follow three principles when it comes to software development.
These include:
Take ownership of customer security
Software companies should provide secure building blocks for their software developers “to ensure that a single developer error does not compromise the data of millions of users.”
They should provide prepared statements with parameterized queries as standard practice in software development.
Similarly, the advisory said that they should enforce this through development libraries that make the safe path the default for developers and check at the time of pull requests.
Be transparent about CVE and CWE
Software companies must track the classes of vulnerabilities associated with their software and disclose them to their customers through the Common Vulnerabilities and Exposures (CVE) program.
Manufacturers must ensure that their CVE records are correct and complete, and must provide accurate Common Weakness Enumerations (CWE), which refer to broader potential weaknesses, so that the industry can track classes of software defects.
“They should also identify and document the root causes of those vulnerabilities and declare that it is a business objective to work to eliminate entire classes of vulnerability,” the agencies said.
See the bigger picture
While software executives will worry about costs, features and customer experience, they should also prioritize the security of their products, the agencies said.
“Customers, our economy and our national security are currently the most affected by business decisions not to build security into their products,” they said.
The notice added that software executives should focus heavily on “steering the business toward developing secure software by design.”
These design principles will ultimately help reduce “financial and productivity costs as well as complexity.”