CISA and the FBI urged software program corporations at present to assessment their merchandise and eradicate path traversal safety vulnerabilities earlier than delivery.
Attackers can exploit path traversal vulnerabilities (often known as listing traversal) to create or overwrite crucial information used to execute code or bypass safety mechanisms like authentication.
Such safety flaws can even let risk actors entry delicate information, corresponding to credentials that may later be used to brute-force already present accounts to breach the focused techniques.
One other doable situation is taking down or blocking entry to weak techniques by overwriting, deleting, or corrupting crucial information used for authentication (which might lock out all customers).
“Listing traversal exploits succeed as a result of know-how producers fail to deal with consumer provided content material as probably malicious, therefore failing to adequately defend their prospects,” CISA and the FBI mentioned [PDF].
“Vulnerabilities like listing traversal have been known as ‘unforgivable’ since at the very least 2007. Regardless of this discovering, listing traversal vulnerabilities (corresponding to CWE-22 and CWE-23) are nonetheless prevalent lessons of vulnerability.”
Prompted by latest exploitation in crucial infrastructure assaults
This joint alert is available in response to “latest well-publicized risk actor campaigns that exploited listing traversal vulnerabilities in software program (e.g., CVE-2024-1708, CVE-2024-20345) to compromise customers of the software program—impacting crucial infrastructure sectors, together with the Healthcare and Public Well being Sector,” the 2 federal businesses mentioned.
As an example, the ScreenConnect CVE-2024-1708 path traversal bug was chained with the CVE-2024-1709 auth bypass flaw in Black Basta and Bl00dy ransomware assaults pushing CobaltStrike beacons and buhtiRansom LockBit variants.
CISA and the FBI suggested software program builders to implement “well-known and efficient mitigations” that might stop listing traversal vulnerabilities, together with:
- Producing a random identifier for every file and storing related metadata individually (e.g., in a database) slightly than utilizing consumer enter when naming information.
- Strictly limiting the forms of characters that may be provided in file names, e.g., by proscribing them to alphanumeric characters.
- Guaranteeing that uploaded information do not have executable permissions.
Path vulnerabilities took the eighth spot in MITRE’s high 25 most harmful software program weaknesses, surpassed by out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bound learn flaws.
In March, CISA and the FBI issued one other “Safe by Design” alert urging executives of software program manufacturing corporations to implement mitigations to stop SQL injection (SQLi) safety vulnerabilities.
SQLi vulnerabilities ranked third in MITRE’s high 25 most harmful weaknesses affecting software program between 2021 and 2022, topped solely by out-of-bounds writes and cross-site scripting.