Dive Brief:
- The FBI and Cybersecurity and Infrastructure Security Agency urged software companies to eliminate directory traversal vulnerabilities from their products, citing a rise in attacks against critical industries, including hospitals and school operations, in a secure by design alert released Thursday.
- The agencies are seeking industry action following two recent campaigns where threat groups engaged in extensive exploitation activity. The agencies referenced a path traversal vulnerability in ConnectWise ScreenConnect, listed as CVE-2024-1708, and a vulnerability in the file upload functionality of Cisco AppDynamics Controller, listed as CVE-2024-20345.
- In total, directory traversal or path traversal vulnerabilities were identified in 55 different cases listed on CISA’s Known Exploited Vulnerabilities catalog, according to the alert.
Dive Insight:
A directory traversal vulnerability allows a user to manipulate inputs, such as input parameters or file paths, that are not supposed to be accessible, the alert said. An attacker can gain access to a restricted directory and read, write or modify arbitrary files.
Software manufacturers can prevent these types of vulnerabilities by generating random identifiers for each file and storing related metadata separately, according to the alert.
Manufacturers can also limit the types of characters used in file names, for example only allowing alphanumeric characters.
CISA and the FBI said organizations using these products should ask the manufacturer whether they have conducted formal tests to check for directory traversal vulnerabilities.
CISA is pushing software companies to build in greater security into their products during the development stage, a key tenet of the Biden administration’s national cybersecurity strategy.
The goal is to reduce how often technology customers have to search for software vulnerabilities that can expose their systems to malicious attacks from rogue nation-states or criminal ransomware actors.
“Programmers should be trained to validate user input to ensure that attackers cannot read and write files to places that modify the operation of the software and can lead to complete system compromise,” Chris Wysopal, CTO and co-founder of Veracode, said via email. “Application security testing should be used during software development to find places where this validation is missing.”