What is a remote code execution (RCE) attack?
A Remote Code Execution (RCE) attack occurs when malicious actors exploit security vulnerabilities to gain unauthorized access and remotely execute code on your systems or servers. This enables attackers to take full control, steal data, install malware, or use the system to launch further attacks.
RCE vulnerabilities are particularly dangerous because they allow attackers to compromise systems without requiring authentication or user interaction, making them a critical security risk for organizations. These attacks can lead to severe consequences, including data breaches and system exploitation.
Malicious code in RCE explained
RCE attacks inject malicious code into target systems to gain unauthorized access, steal data, or disrupt services. Malicious code includes various types of software designed for harmful actions:
Viruses: Attach to files and spread to others
Worms: Self-replicating, spread without host files
Trojans: Disguise themselves as legitimate files
Spyware: Collects data from target systems
Adware: Displays unwanted ads and collects sensitive data
Keyloggers: Capture keystrokes to steal sensitive information
Rootkits: Provide attackers with administrative control
Ransomware: Encrypts files for extortion
Wipers: Erase data
Malicious code can be delivered through email attachments, compromised websites, fake software sharing sites, and fraudulent apps. RCE attacks typically unfold in stages:
Initial Access: Attackers use social engineering or malware to breach the system.
Establish Persistence: They maintain access by creating accounts or deploying backdoors.
Privilege Escalation: Attackers gain more control, bypass security measures, and search for sensitive data.
Exploitation: Attackers carry out their objectives, such as stealing data, launching ransomware, or spreading the attack further.
Building defenses against malicious code requires proactive security measures at every stage to prevent, detect, and respond to RCE threats.
How does an RCE attack work?
In an RCE attack, malicious payloads are often delivered through user input fields, network protocols, or manipulated data formats. For example, an attacker might inject malicious code into a web application's input form, which, if not properly validated, could execute on the server side.
Once injected, the malicious code runs with the same privileges as the compromised application or user. If the vulnerable application has elevated privileges, such as admin rights, the attacker gains those same privileges, leading to further exploitation.
The success of an RCE attack depends on the vulnerability's strength, the attacker's skill, and the payload's effectiveness.
The Cloud Threat Landscape
The Cloud Threat Landscape is a threat intelligence database that summarizes cloud incidents and offers insights into targeting patterns and initial access methods.
Explore
The goals of RCE attacks
The main objective of remote code execution attacks is to undermine the targeted system's confidentiality, integrity, and availability. Hackers may execute code to steal sensitive data, including PII, intellectual property, or financial data, resulting in data breaches and reputational damage.
So what exactly are hackers leveraging RCE seeking to do?
| Goal | Description |
|---|---|
| Escalate privileges | Once an attacker successfully executes their code, they can pursue various malicious objectives, e.g., attempt to escalate their privileges and gain administrative rights to take full control of the compromised system. With elevated privileges, attackers can access sensitive files, modify system configurations, or disable security controls. |
| Deploy malware | Hackers can further exploit RCE vulnerabilities to deploy malware, including spyware, ransomware, and Trojans. Malware can encrypt critical data, spy on user activities, or create backdoors for persistent access. Attackers may use the compromised system as a launching pad to spread malware laterally across the network, infecting other vulnerable systems. |
| Perform DoS attacks | In some cases, malicious actors may launch denial-of-service (DoS) attacks. By consuming system resources or crashing applications, they can disrupt the availability of critical services, causing operational downtime and financial losses. |
| Server takeover | Some RCE attacks seek to take over target servers by creating a persistent backdoor that allows unauthorized access to the system. For example, an attacker may exploit applications that dynamically reference external scripts by tricking them into downloading a trojan containing a backdoor. Once installed, the backdoor allows the attacker to access the system at will and escalate their attack. |
RCE attacks can result in a company facing severe reputational damage and be a major blow to customer trust. Data breaches due to RCE vulnerabilities can lead to the exposure of sensitive customer information, meaning possible legal and regulatory repercussions, financial penalties, and damage to your brand image.
Common attack vectors for RCE
The most common attack vectors for RCE attacks include web application vulnerabilities, unpatched and misconfigured software, and supply chain and dependency exploits.
Web application vulnerabilities
Web-based applications may contain flaws that enable several types of RCE attack methods:
SQL injection: Manipulating input fields to expose sensitive data or modify databases.
Cross-site scripting (XSS): Injecting malicious scripts to steal cookies or execute code in users’ browsers.
Insecure APIs: Exposing systems to RCE by lacking proper authentication or request validation.
File deserialization vulnerabilities: Exploiting improper deserialization of input to execute malicious code in the application.
Unpatched software and misconfigurations
Outdated software and misconfigured servers increase RCE risks. For example, vulnerabilities like the one in Apache Log4j allow arbitrary code execution via the logging function. Servers with open ports or weak authentication can also be vulnerable.
Supply chain attacks and dependency exploits
Attackers may inject malicious code into third-party libraries, frameworks, or packages. Malicious open-source libraries disguised as legitimate software can trick users into installing malware, especially if the software is outdated or unverified.
CI/CD pipeline abuse: Exploiting trusted relationships in automated software development pipelines can introduce RCE vulnerabilities, especially when attackers target build processes or updates.
Containers and microservices
Misconfigurations in containerized environments like Kubernetes can open the door for RCE attacks. Containers that fail to properly isolate processes or have shared vulnerable dependencies are especially at risk.
Insecure webhooks
Improperly authenticated or unsanitized webhooks can also be exploited for RCE, providing attackers with a way to inject malicious code into systems through remote triggers.
Best practices for mitigating and detecting RCE attacks
To effectively mitigate and detect RCE attacks, organizations will need to adopt the following best practices.
Use secure coding practices
Implement input validation and sanitization to block malicious code injections.
Avoid dangerous functions like eval() and exec() that allow arbitrary code execution.
Enable buffer overflow protection with languages that offer built-in safeguards (e.g. stack canaries).
Use static and dynamic code analysis tools to detect arbitrary code execution vulnerabilities.
Strengthen web application security measures
Deploy web application firewalls (WAFs) to monitor and filter traffic through web applications and detect and block RCE attempts.
Apply a Content Security Policy (CSP) to restrict site code functionality and prevent script-based attacks.
Regularly update the OS and dependencies
Keep operating systems, applications, and libraries up to date with security patches.
Prioritize patching based on risk level and potential impact.
Implement strict input validation and sanitization
Check and sanitize all input from users to avoid cross-site scripting (XSS), SQL injection, and other attacks.
Adopt secure programming techniques, e.g., validating inputs, encoding outputs, and utilizing parameterized queries, to lower the chances of vulnerabilities due to malicious code injection.
Use well-established libraries and frameworks that provide built-in input validation and sanitization mechanisms.
Network segmentation and isolation
Segment networks to isolate critical systems and limit lateral movement within the environment.
Limit user and application permissions to only what's necessary.
Regularly review and update access controls to reduce exposure of critical systems and data.
Security monitoring and logging
Ensure comprehensive logging of critical activities across systems, and set up alerts for suspicious actions
Use intrusion detection and prevention systems (IDPS) to monitor network traffic for potential RCE attempts.
Monitor endpoints for signs of malicious activity, like unauthorized process execution or unusual network connections.
Practice continuous vulnerability assessments and penetration testing
Perform vulnerability assessments on a regular basis to uncover weaknesses in your systems and apps.
Prioritize identified vulnerabilities for remediation depending on how serious a threat they pose to your organization.
Adopting these best practices and taking a proactive approach to security can significantly diminish an organization's risk of falling prey to remote code execution (RCE) attacks and minimize the potential impact of successful intrusions.
Security is an ongoing endeavor, and organizations must continuously monitor, assess, and adapt their security measures to keep pace with the ever-evolving threat landscape.
Real-world impacts of RCE vulnerabilities and attacks
RCE vulnerabilities can appear in a wide range of software and systems. The potential uses of an RCE attack and the impacts it can have highlight the importance of proactively identifying and mitigating RCE vulnerabilities.
The examples below underline that RCE is still a popular and potent attack strategy.
XZ Utils
A backdoor (CVE-2024-3094), deliberately planted by a malicious actor, was discovered in versions 5.6.0 and 5.6.1 of XZ Utils, a widely used data compression library. The backdoor can lead to remote code execution via SSH authentication in certain Linux distributions that use the compromised library.
Ivanti VPN instances
Several high-severity vulnerabilities were discovered in Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways in early 2024. Some of these, like CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, were exploited in the wild by threat actors before patches were released, giving attackers access to critical VPN infrastructure.
MOVEit transfer
The RCE vulnerability (CVE-2023-34362) in MOVEit Transfer has been actively exploited in the wild since at least May 2023. The vulnerability allows unauthenticated attackers to access and potentially modify or delete sensitive data stored in the MOVEit Transfer database.
MOVEit Transfer is a highly popular managed file transfer (MFT) service, and multiple organizations have disclosed breaches due to this vulnerability, with the Cl0p ransomware group claiming responsibility for the attacks. Given the sensitive nature of data typically handled by MFT services, the potential impact of this vulnerability is severe.
Linux kernel `ksmbd` module
The Linux kernel's ksmbd module, introduced in version 5.15, contains a critical remote code execution vulnerability (CVE-2022-47939). This vulnerability allows malicious actors to run arbitrary code on a system without having to authenticate themselves.
Exim
Multiple vulnerabilities, including a critical one (CVE-2023-42115), were recently disclosed in Exim, one of the world's most popular mail transfer agents (MTAs).
CVE-2023-42115 allows unauthenticated remote code execution on Exim servers with "External" authentication enabled, potentially leading to attackers gaining initial access to organizations through exposed SMTP ports.
FortiOS
CVE-2023-25610, a critical remote code execution vulnerability in Fortinet's FortiOS and FortiProxy, was recently disclosed. The vulnerability is due to a buffer underwrite bug in the administrative interface, potentially allowing unauthenticated attackers to execute arbitrary code or cause denial-of-service using specially crafted requests.
Mitigate RCE threats and enhance your cloud security with Wiz
One of the key strengths of Wiz is its ability to detect RCE vulnerabilities based on the specific software versions running in the environment. By considering not only the software itself but also its configurations and other relevant factors, Wiz provides a thorough assessment of the attack surface. This level of granularity is crucial in identifying and prioritizing remediation efforts.
In the event of an active RCE attack, Wiz's capabilities extend beyond vulnerability detection to:
Identifying the presence of malware and monitoring communication with known malicious IPs or domains
Leveraging powerful queries to quickly identify infected resources or those engaging in suspicious communication with threat actors
Enabling real-time detection so teams can respond swiftly and contain the impact of an ongoing attack
To learn more about how Wiz can help secure your software against RCE attacks, request a demo today and take the first step toward improving your security posture.
Detect real-time malicious behavior in the cloud
Learn why CISOs at the fastest growing companies choose Wiz to secure their cloud environments.
