CISA and FBI urge companies to take patch actions
CISA and the FBI recommended software companies today to assess their products and fix route traversal security flaws before selling.
Attackers can leverage path traversal vulnerabilities (also known as directory traversal) to create or overwrite important files used to execute malware or circumvent security systems such as authentication.
“Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in our Known Exploited Vulnerabilities (KEV) catalog,” says the CISA and FBI joint report.
Impact of these security loops
Such security holes can also allow threat actors to acquire sensitive data, such as credentials, which can then be used to brute-force existing accounts and compromise the targeted systems.
Another option is to disable or limit access to vulnerable systems by overwriting, destroying, or altering critical authentication files (which would lock out all users).
CISA and the FBI propose that software buyers ask vendors if they completed formal directory traversal testing.
To eliminate this type of problem from all goods, manufacturers should ensure that their software developers immediately install the necessary mitigations. Integrating security into products from the start can eliminate directory traversal issues.
About directory traversal vulnerabilities
Directory traversal vulnerabilities occur when users manipulate inputs, such as file paths, to gain unauthorized access to application files and directories. Malicious cyber actors can use these exploits to access restricted directories and read, change, or write arbitrary files, which can have adverse effects.
How Can Software Vendors Avoid Directory Traversal Risks?
To minimize directory traversal vulnerabilities in software products, developers should apply proven mitigations such as:
- Use random identification and store metadata independently (e.g., in a database) instead of relying on user input for a file name.
- If the previous strategy is not followed, restrict file names to alphanumeric characters. Please ensure that submitted files do not have executable permissions.
Path vulnerabilities ranked eighth on MITRE's list of the 25 dangerous software issues, trailing only out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bounds read flaws.
In March, CISA and the FBI released another "Secure by Design" alert, advising executives of software manufacturing companies to develop mitigations to prevent SQL injection (SQLi) security risks.
SQLi vulnerabilities were listed third among MITRE's top 25 most hazardous software vulnerabilities between 2021 and 2022, trailing only out-of-bounds writes and cross-site scripting.
