CISA urges software developers to eliminate path traversal vulnerabilities

CISA and the FBI today urged software companies to review their products and eliminate path traversal security vulnerabilities before shipping.

Attackers may exploit path crossing A vulnerability (also known as directory traversal) that creates or overwrites critical files that can be used to execute code or bypass security mechanisms such as authentication.

Such security flaws could allow an attacker to access sensitive data such as credentials that can later be used to brute force existing accounts and break into the targeted system.

Another possible scenario is to bring down or block a vulnerable system by overwriting, deleting, or corrupting critical files used for authentication (this would lock out all users) .

“Directory traversal exploits succeed because technology manufacturers fail to treat user-provided content as potentially malicious and fail to adequately protect their customers.” CISA and FBI said.[[PDF].

“Vulnerabilities like directory traversal have been said to be ‘unforgivable’ since at least 2007. Despite this discovery, directory traversal vulnerabilities (such as CWE-22 and CWE-23) remain prevalent. This is a class of vulnerabilities.

Digital Products Recent exploits in critical infrastructure attacks triggered

This joint alert identifies recent well-known adversary campaigns exploiting directory traversal vulnerabilities in software, e.g. CVE-2024-1708, CVE-2024-20345) compromising users of software and impacting critical infrastructure sectors, including the medical and public health sectors,” and two federal agencies. Said.

For example, the ScreenConnect CVE-2024-1708 path traversal bug was chained with the following CVE-2024-1709 authentication bypass flaw: Black Basta and Bl00dy ransomware attacks Push CobaltStrike beacon, buhtiRansom LockBit variant.

CISA and the FBI recommended that software developers implement “well-known and effective mitigations” to prevent directory traversal vulnerabilities.

• Rather than using user input when naming files, it generates a random identifier for each file and stores the associated metadata separately (e.g. in a database).
• Strictly restrict the types of characters that can be used in file names, such as limiting them to alphanumeric characters.
• Verify that the uploaded file does not have execute permission.

path vulnerability won 8th place MITER’s top 25 most dangerous software weaknesses include out-of-bounds writes, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bounds read flaws.

In March, CISA and the FBI issued another “Secure by Design” warning to executives at software manufacturers urging them to implement security measures. Prevent SQL injection (SQLi) security vulnerabilities.

SQLi vulnerabilities Ranked 3rd place Only out-of-bounds writes and cross-site scripting rank higher in MITER’s top 25 most dangerous vulnerabilities affecting software in 2021-2022.