CISA and the FBI urged software companies today to review their products and eliminate path traversal security vulnerabilities before shipping.
Attackers can exploit path traversal vulnerabilities (also known as directory traversal) to create or overwrite critical files used to execute code or bypass security mechanisms like authentication.
Such security flaws can also let threat actors access sensitive data, such as credentials that can later be used to brute-force already existing accounts to breach the targeted systems.
Another possible scenario is taking down or blocking access to vulnerable systems by overwriting, deleting, or corrupting critical files used for authentication (which would lock out all users).
“Directory traversal exploits succeed because technology manufacturers fail to treat user supplied content as potentially malicious, hence failing to adequately protect their customers,” CISA and the FBI said [PDF].
“Vulnerabilities like directory traversal have been called ‘unforgivable’ since at least 2007. Despite this finding, directory traversal vulnerabilities (such as CWE-22 and CWE-23) are still prevalent classes of vulnerability.”
Prompted by recent exploitation in critical infrastructure attacks
This joint alert comes in response to “recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector,” the two federal agencies said.
For instance, the ScreenConnect CVE-2024-1708 path traversal bug was chained with the CVE-2024-1709 auth bypass flaw in Black Basta and Bl00dy ransomware attacks pushing CobaltStrike beacons and buhtiRansom LockBit variants.
CISA and the FBI advised software developers to implement “well-known and effective mitigations” that would prevent directory traversal vulnerabilities, including:
- Generating a random identifier for each file and storing associated metadata separately (e.g., in a database) rather than using user input when naming files.
- Strictly limiting the types of characters that can be supplied in file names, e.g., by restricting them to alphanumeric characters.
- Ensuring that uploaded files don’t have executable permissions.
Path vulnerabilities took the eighth spot in MITRE’s top 25 most dangerous software weaknesses, surpassed by out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bound read flaws.
In March, CISA and the FBI issued another “Secure by Design” alert urging executives of software manufacturing companies to implement mitigations to prevent SQL injection (SQLi) security vulnerabilities.
SQLi vulnerabilities ranked third in MITRE’s top 25 most dangerous weaknesses affecting software between 2021 and 2022, topped only by out-of-bounds writes and cross-site scripting.