The US cybersecurity agency CISA and the FBI on Thursday released a Secure by Design Alert warning of path traversal software vulnerabilities being exploited in attacks targeting critical infrastructure entities.
Also known as directory traversal, path traversal flaws rely on manipulated user input to access application files and directories that should not be accessible. Successful exploitation allows threat actors to manipulate arbitrary files, read sensitive data, and potentially fully compromise the system.
Documented for over two decades and deemed ‘unforgivable’ in 2007, path traversal defects remain a persistent class of bugs in software, with at least two recent issues exploited against critical infrastructure sectors, including healthcare and public health organizations.
In response to the exploitation of the two vulnerabilities – which impact ConnectWise ScreenConnect (CVE-2024-1708) and Cisco AppDynamics Controller (CVE-2024-20345) – CISA and the FBI are urging organizations (PDF) to ensure their software developers eliminate this class of security defects.
CISA currently lists 55 path traversal flaws in its Known Exploited Vulnerabilities (KEV) Catalog.
The two US government agencies underline that a secure by design software development lifecycle is the base for eliminating security holes, including path traversal flaws, as products are built in a way that reasonably protects them from bug exploitation.
“Incorporating this risk mitigation at the outset—beginning in the design phase and continuing through product release and updates—reduces both the burden of cybersecurity on customers and risk to the public,” CISA and the FBI note.
Well-known and effective mitigations include using random identifiers for files and storing metadata separately, or limiting the number of characters in file names and ensuring that uploaded files do not have execution permissions.
OWASP’s guidance on path traversal flaws includes additional mitigations that both software manufacturers and cloud services operators are advised to review and implement.
Additionally, organizations are advised to test products against path traversal bugs and protect themselves against their exploitation by adhering to the three principles detailed in the secure by design guidance published in October 2023.
By fully implementing the recommended secure by design principles and practices, software manufacturers can protect their customers from a wide range of malicious attacks, the two agencies say.
“Further, CISA and the FBI urge manufacturers to publish their own secure by design roadmap to demonstrate that they are not simply implementing tactical controls but are strategically rethinking their responsibility in keeping customers safe,” CISA and the FBI note.
Related: Federal Push for Secure-by-Design: What It Means for Developers
Related: CISA Debuts ‘Secure by Design’ Alert Series
Related: CISA Introduces Secure-by-design and Secure-by-default Development Principles
