Unrestricted Code Execution

Joao Correia

February 19, 2024 - Technical Evangelist

This article is part of a series where we look at a recent NSA/CISA Joint Cybersecurity Advisory on the top cybersecurity issues identified during red/blue team exercises operated by these organizations. In this article, you will find a more in-depth look at the specific issue, with real-world scenarios where it is applicable, as well as mitigation strategies that can be adopted to limit or overcome it. This expands on the information provided by the NSA/CISA report.

–

Unrestricted code execution presents a formidable threat. It occurs when systems allow unverified programs or scripts to execute without adequate restrictions. This issue can be exploited by threat actors to run arbitrary, malicious payloads within a network – often leading to severe security breaches. This article explores the nature of this risk and discusses strategies to mitigate it.

Unrestricted Code Execution

Unrestricted code execution allows threat actors to execute arbitrary code after gaining initial access to a system, such as through a successful phishing attack or through exploiting an unpatched vulnerability. Commonly, attackers convince users to execute code that provides them with remote access to internal networks. This code often takes the form of unverified programs or scripts with no legitimate business purpose. These malicious programs often use sophisticated techniques to obfuscate their true nature and bypass security protocols.

Examples and Techniques of Exploitation

Attackers often use executables, DLLs, HTML applications, and scripts in multiple languages like PHP, ASP, and JavaScript.
Scripting languages, commonly used in web services – but not restricted to those services – can be manipulated to execute malicious activities without triggering basic security alerts.
Known vulnerabilities in system drivers can be exploited to execute code at the kernel level, leading to full system compromise.

Mitigating the Risk

Application Whitelisting: Implement allowlisting to restrict applications and code that can run on the network. Only known and trusted software should be allowed. Note that whitelisting applications is orders of magnitude more secure than blacklisting known-bad executables (a notoriously error-prone and easily manipulated technique).
Regular Security Audits and Monitoring: Conduct audits to detect and rectify misconfigurations or unauthorized applications. Establish a baseline “expected” profile for systems and monitor for deviations. This proactive approach can quickly identify and address unauthorized applications or processes.
User Education and Phishing Awareness: Comprehensive staff training can significantly reduce the risk of phishing attacks and other social engineering tactics. Train staff to recognize and report phishing attempts and suspicious activities like unexpected slow performance or application alerts.
Use of Sandboxing Techniques: Deploy sandboxing to isolate and test untrusted programs and code in a secure environment. Run new software in secure environments, like locked down virtual machines, while assessing their security profile.
Strict Access Control: Enforce strict access controls to limit what code can be executed, especially by non-administrative users.
Regular Software Updates: Keep all systems and applications updated to patch known vulnerabilities that could be exploited.
Network Segmentation: Although primarily a damage mitigation technique, network segmentation can limit the spread and impact of any malicious code that does execute.

Final Thoughts

Addressing unrestricted code execution is vital for safeguarding networks against sophisticated cyber threats. A combination of strict application control policies, user education, advanced techniques like sandboxing, and allowlisting can significantly reduce the risk of unauthorized code execution. By adopting these strategies, organizations can enhance their defense against one of the most pernicious threats in the cyber landscape.

Summary