Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem. RCE is a type of an Arbitrary Code Execution (ACE) attack where the threat actor executes malicious commands on the target’s device. The reason why RCE attacks are such a serious concern is that they can be accomplished from anywhere in the world. RCE vulnerabilities can be found in all modes of technology, ranging from programming languages, to software and hardware. This makes the probability of an RCE attack event quite high. More than just penetration into systems, RCE has many more severe impacts, such as data theft, privilege escalation, ransomware installations, Denial of Service (DoS) attacks, and crypto-mining.
The way RCE work is, first the threat actor scans the devices on the internet for vulnerabilities that could be used to perform the attack, and after a suitable vulnerability is found, it is exploited to gain access to the system. Finally, the attacker is able to execute malicious code in the system and can steal data, corrupt system integrity, delete files, alter permissions, and download malware.
Vulnerabilities required for RCEs
Comparitech details several vulnerabilities that are favorable for RCEs.
- Broken authentication – This occurs when the authentication measures set for systems, websites, session management, and applications are incorrectly implemented. Threat actors will be able to compromise the system, passwords, keys, and session tokens. They could also exploit other vulnerabilities and execute arbitrary code on the system.
- Improper Access Control Lists (ACL) – A threat actor might be able to gain access through misconfigured rules set in the ACL.
- Buffer overflows – When a malicious program tries to fill an amount of data that exceeds the limit that was set for a memory area of a legitimate program, the excessive information will overwrite the legitimate data of the neighboring memory address with arbitrary code.
- Deserialization manipulation – When an object is passed from one part of the program to the other, it should be converted to binary (serialized) code, and when it arrives at the destination, it should be converted back to the original object (deserialized). Threat actors can exploit the deserialization process to execute RCEs.
Types of RCE attacks and exploit techniques
Imperva lists the types of RCE attacks and their exploit techniques.
There are two main exploit techniques available for RCEs. Remote Code Evaluation is a technique whereby some applications that accept user input, such as instances where users create their own usernames, a threat actor can influence this user input to malicious code to be executed. The next technique is the Stored Code Evaluation method. Attackers can inject malicious code into the configuration file by modifying the language parameter.
Types of RCE attacks –
- Injection attacks – For applications that require user input, such as SQL queries, an attacker inputs malicious data which is interpreted as a part of their command.
- Deserialization attacks – The user-supplied serialized data can be executed as arbitrary code.
- Out-of-bounds write – Memory allocation flaws that contribute to attacks like buffer overflows.
How to detect and mitigate RCE attacks
To detect RCE vulnerabilities, it is advised to use a Software Composition Analysis (SCA) tool to scan web applications and to use a network scanning and monitoring solution for networked systems and applications to inspect network traffic. Using a vulnerability scanner tool and conducting manual penetration testing will also aid in detecting RCE vulnerabilities.
In mitigating RCE attacks, validating and sanitizing user-supplied inputs is a crucial factor since it is the main reason for attackers to execute many injection and deserialization attacks. Proper management of memory buffers and access control mechanisms such as access management, ACL lists, network segmentation, and zero trust policies, will help to prevent various RCE attack types.
To mitigate RCE attacks in third-party software, updating the application to the latest security version and running a Web Application Firewall makes RCE harder to exploit.
The impact and amount of RCE attacks are progressing constantly. Many systems and platforms have already been affected or are vulnerable to some sort of an RCE attack. This makes it a critical factor to identify these types of attacks and apply proper security controls and defenses against them.
About the Author:
Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.