CISA and the FBI urged software program corporations right this moment to evaluation their merchandise and get rid of path traversal safety vulnerabilities earlier than delivery.
Attackers can exploit path traversal vulnerabilities (also called listing traversal) to create or overwrite important recordsdata used to execute code or bypass safety mechanisms like authentication.
Such safety flaws may also let risk actors entry delicate information, akin to credentials that may later be used to brute-force already present accounts to breach the focused techniques.
One other attainable state of affairs is taking down or blocking entry to weak techniques by overwriting, deleting, or corrupting important recordsdata used for authentication (which might lock out all customers).
“Directory traversal exploits succeed because technology manufacturers fail to treat user supplied content as potentially malicious, hence failing to adequately protect their customers,” CISA and the FBI stated [PDF].
“Vulnerabilities like directory traversal have been called ‘unforgivable’ since at least 2007. Despite this finding, directory traversal vulnerabilities (such as CWE-22 and CWE-23) are still prevalent classes of vulnerability.”
Prompted by current exploitation in important infrastructure assaults
This joint alert is available in response to “recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector,” the 2 federal companies stated.
For example, the ScreenConnect CVE-2024-1708 path traversal bug was chained with the CVE-2024-1709 auth bypass flaw in Black Basta and Bl00dy ransomware assaults pushing CobaltStrike beacons and buhtiRansom LockBit variants.
CISA and the FBI suggested software program builders to implement “well-known and effective mitigations” that will stop listing traversal vulnerabilities, together with:
- Producing a random identifier for every file and storing related metadata individually (e.g., in a database) relatively than utilizing person enter when naming recordsdata.
- Strictly limiting the sorts of characters that may be provided in file names, e.g., by limiting them to alphanumeric characters.
- Making certain that uploaded recordsdata haven’t got executable permissions.
Path vulnerabilities took the eighth spot in MITRE’s high 25 most harmful software program weaknesses, surpassed by out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bound learn flaws.
In March, CISA and the FBI issued one other “Secure by Design” alert urging executives of software program manufacturing corporations to implement mitigations to stop SQL injection (SQLi) safety vulnerabilities.
SQLi vulnerabilities ranked third in MITRE’s high 25 most harmful weaknesses affecting software program between 2021 and 2022, topped solely by out-of-bounds writes and cross-site scripting.