Hidden software vulnerabilities are silent nightmares waiting to awaken chaos. Though security is still a priority with the rise of DevSecOps, there continues to be a sharp increase in exploitable vulnerabilities this year compared to last. Among these vulnerabilities, code execution attacks stand out as some of the sneakiest and worst threats.
Remote code execution (RCE), as it’s commonly called, allows an attacker to execute malicious code on a computer remotely. The impact of an RCE vulnerability can range from a simple malware execution to an attacker gaining complete control of the compromised machine.
This article will start by explaining what code execution vulnerabilities are and highlighting high-profile RCE attacks. Then, we will walk you through three preventative steps you need to take now against RCE attacks.
The Inside Scoop on Remote Code Execution Vulnerabilities
There are a few ways for RCE attacks to occur, and injection attacks are the most popular. Most applications today use user-provided data as input to a command. In an injection attack, an attacker intentionally provides malicious input that an application interprets as part of the command being executed. This activity allows the attacker to control the commands executed on the vulnerable system or execute arbitrary code.
Another type of RCE attack is deserialization, which occurs when an application fails to properly sanitize user-supplied data before deserializing it. An example of this was discovered in Adobe BlazeDS, a Java remoting and web messaging technology. Subsequently, deserialization was added to the Common Vulnerabilities and Exposures (CVE) database as CVE-2011-2092 and has since been patched.
Out-of-bounds write is a third way for RCE attacks to occur. Applications regularly allocate fixed-size chunks of memory for storing data. This attack takes advantage of the memory allocation process as malicious actors write data outside the allocated memory storage buffer resulting in data corruption or a system crash.
Recent high-profile RCE vulnerabilities
In July 2023, Microsoft disclosed the existence of an ongoing phishing campaign attributed to STORM-0978, a Russia-based threat actor, which leverages CVE-2023-36884, an RCE vulnerability present in current versions of its Windows operating system and flagship Microsoft Office suite. Earlier this year in February 2023, Apache resolved an exploitable vulnerability discovered in Kafka Connect. The critical flaw is tracked as CVE-2023-25194.
More popularly, in December 2021, an acute RCE vulnerability tracked as CVE-2021-44228 was reported in the Apache logging package Log4J used in many Internet services and applications. The vulnerability allowed attackers to execute cryptojackers and other malware on compromised servers, ultimately becoming one of the most frightening attacks in recent memory.
Preventative Steps to Mitigate Code Execution Vulnerabilities
According to the Infosec Institute, the average time to patch a vulnerability is 60 days, significantly longer than the average time it takes attackers to exploit newly discovered vulnerabilities – 15 days. This gap demonstrates the importance of prioritizing RCE prevention using the following steps.
1. Secure coding practices and code reviews
Prevention against RCE attacks starts with how you build the application. The first approach to secure coding practices is ensuring proper user input validation, which involves filtering out potentially malicious characters or code and processing data only after validation.
Another essential practice to remember is avoiding risky functions like eval() in PHP that enable the execution of string as code, opening the door to RCE attacks. At the same time, use secure dependencies without known vulnerabilities.
Limiting the privileges of the code or processes to the absolute minimum necessary for their intended functionality is also effective. This best practice reduces the potential impact of an RCE attack by restricting what an attacker can do even if they gain access.
Fostering a culture of secure coding practices and encouraging thorough code reviews throughout development help identify weak points in the codebase and provide opportunities for remediation before each deployment.
2. Automate updates of dependencies
Even with secure dependencies, vulnerabilities can still crop up, which you can mediate by keeping those dependencies up to date. Manually updating dependencies in this era of microservices is practically impossible, hence the need to automate the process.
While automation is a powerful ally, exercise caution to avoid blind reliance. Stay informed about potential updates of your dependencies and validate that the automated process aligns with your application’s specific needs and potential compatibility concerns.
3. Use scanning tools that detect RCE
Regularly scanning for vulnerabilities can help to identify and address RCE vulnerabilities before attackers discover and exploit them. Scanning tools eliminate blind spots by continuously uncovering and monitoring supply chain gaps and proprietary code assets across multiple codebases.
Scanning tools can help detect RCE vulnerabilities; your choice scanning engine should be automated, combining AI and CVE database updated detectors that help you monitor, classify, and protect your code, assets, and infrastructure.
Leverage Advanced Security Strategies to Stay One Step Ahead
Code execution vulnerabilities are a serious threat to system security. By taking the steps outlined above, you can help to protect your systems from RCE attacks and the severe consequences. Additionally, staying informed about emerging RCE threats and leveraging advanced security technologies will help bolster your defenses and minimize the impact of potential attacks.