CISA and the FBI urged software program firms at the moment to evaluate their merchandise and eradicate path traversal security vulnerabilities earlier than delivery.
Attackers can exploit path traversal vulnerabilities (also called listing traversal) to create or overwrite essential recordsdata used to execute code or bypass security mechanisms like authentication.
Such security flaws also can let menace actors entry delicate knowledge, reminiscent of credentials that may later be used to brute-force already present accounts to breach the focused programs.
One other attainable state of affairs is taking down or blocking entry to weak programs by overwriting, deleting, or corrupting essential recordsdata used for authentication (which might lock out all customers).
“Listing traversal exploits succeed as a result of expertise producers fail to deal with person equipped content material as probably malicious, therefore failing to adequately shield their prospects,” CISA and the FBI mentioned [PDF].
“Vulnerabilities like listing traversal have been referred to as ‘unforgivable’ since not less than 2007. Regardless of this discovering, listing traversal vulnerabilities (reminiscent of CWE-22 and CWE-23) are nonetheless prevalent lessons of vulnerability.”
Prompted by current exploitation in essential infrastructure assaults
This joint alert is available in response to “current well-publicized menace actor campaigns that exploited listing traversal vulnerabilities in software program (e.g., CVE-2024-1708, CVE-2024-20345) to compromise customers of the software program—impacting essential infrastructure sectors, together with the Healthcare and Public Well being Sector,” the 2 federal companies mentioned.
For example, the ScreenConnect CVE-2024-1708 path traversal bug was chained with the CVE-2024-1709 auth bypass flaw in Black Basta and Bl00dy ransomware assaults pushing CobaltStrike beacons and buhtiRansom LockBit variants.
CISA and the FBI suggested software program builders to implement “well-known and efficient mitigations” that might stop listing traversal vulnerabilities, together with:
- Producing a random identifier for every file and storing related metadata individually (e.g., in a database) slightly than utilizing person enter when naming recordsdata.
- Strictly limiting the varieties of characters that may be equipped in file names, e.g., by proscribing them to alphanumeric characters.
- Making certain that uploaded recordsdata haven’t got executable permissions.
Path vulnerabilities took the eighth spot in MITRE’s high 25 most harmful software program weaknesses, surpassed by out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bound learn flaws.
In March, CISA and the FBI issued one other “Safe by Design” alert urging executives of software program manufacturing firms to implement mitigations to forestall SQL injection (SQLi) security vulnerabilities.
SQLi vulnerabilities ranked third in MITRE’s high 25 most harmful weaknesses affecting software program between 2021 and 2022, topped solely by out-of-bounds writes and cross-site scripting.
