US Cybersecurity Infrastructure and Security Agency (CISA) and the FBI have issued a joint advisory to developers, urging them to check for path traversal vulnerabilities before shipping a software.
“Directory traversal or path traversal vulnerabilities remain a persistent class of defect in software products,” CISA said in the advisory. “Software manufacturers continue to put customers at risk by developing products that allow for path traversal exploits.”
The advisory was issued in response to the recent critical path traversal vulnerabilities, including the ConnectWise ScreenConnect and Cisco AppDynamics flaws.
Directory traversal vulnerabilities involve a user manipulating inputs (i.e. input parameters or file paths) to illicitly access application files and directories that the developer did not intend for the user to access.
Implementing “secure by design”
With the advisory, the cybersecurity watchdogs look to push for a “secure by design” approach in software development, weeding out the underlying vulnerabilities within the dependencies of a software before its final shipping.
“A core tenet of security by design software development is that manufacturers create safe and secure behavior in the products they provide to customers,” CISA added. “Incorporating this risk mitigation at the outset–beginning in the design phase and continuing through product release and updates–reduces both the burden of cybersecurity on customers and risk to the public.”
The advisory noted that despite approaches to avoid directory traversal vulnerabilities being readily available, their exploitation by threat actors is still on the rise, especially to impact critical services including hospital and school operations.
The prevalence of such vulnerabilities is apparent through CISA’s current listing of 58 path traversal vulnerabilities in its known exploited vulnerabilities (KEV) catalog.
Mitigations include auto-indexing or type limitation in file names
The advisory encourages developers to use “well-known and effective mitigations” to help prevent directory traversal vulnerabilities. These include generating an identifier for each file and storing associated metadata separately, and if that’s not possible, limiting the type of characters that can be supplied in the file names.
CISA pointed out that the above steps can also be applied in the case of cloud services, as they too are affected by these vulnerabilities, in conjunction with other known best approaches.
“CISA and FBI encourage manufacturers to learn how to protect their products from falling victim to these exploits and other preventable malicious activities in accordance to three advised principles,” the advisory added.
These principles include taking ownership of customer security outcomes, embracing transparency and accountability, and deploying organizational structure and leadership to achieve these goals.
Directory traversal vulnerabilities are a strain of menacing flaws plaguing the software ecosystem with at least 350 added this year alone. Recent critical vulnerabilities of this type include ScreenConnect, MLFlow, Kyocera printers, and Apache Struts 2 bugs.