Secure by Design: CISA and FBI warn of directory traversal vulnerabilities
Directory traversal vulnerabilities are a threat that the US CISA and the FBI would like to nip in the bud.
Secure by Design: The US authorities want to embed software security more firmly.
(Bild: CISA)
IT security should already be taken into account when developing software, which is why CISA and the FBI have launched a campaign called "Secure by Design". In a loose series, the authorities collect tips on how vulnerabilities can be avoided from the outset in software development. Now it's the turn of directory traversal vulnerabilities.
In the PDF on this type of vulnerability, the authorities are not stingy with accusations. "The software industry has known for decades how to eliminate these defects. Nevertheless, directory traversals remain one of the most abused vulnerabilities with 55 entries currently listed in the Known Exploited Vulnerabilities catalog," reads a text box in the introduction. "For more than two decades, the software industry has been documenting directory traversal vulnerabilities along with effective approaches to avoid them," the authors write.
Secure-by-design warning due to recent incidents
The secure-by-design warning was prompted by recent campaigns by cybercriminals to exploit directory traversal vulnerabilities in software such as Connectwise Screenconnect and Cisco's Appdynamics Controller. The malicious actors compromised the users of the software, affecting critical infrastructure sectors including healthcare.
CISA and the FBI are urging software vendor management to implement formal testing at their facilities to determine if their products are vulnerable to directory traversal vulnerabilities. For customers, on the other hand, the agencies recommend asking vendors if they have conducted formal directory traversal testing.
What are directory traversal vulnerabilities?
This type of vulnerability is based on manipulated user input, such as transfer parameters or file paths, which gain unauthorized access to application files and directories that the developers have not intended for user access. The consequences can be dramatic, as attackers can gain access to restricted directories - file access is possible for reading, modifying or writing, or even all of these. This allows access to sensitive data or compromise of the system.
The authors write in bold: "Directory traversal abuse succeeds because technology vendors fail to treat user input as potentially malicious and therefore do not adequately protect their customers. However, there are simple and well-known remedies. For example, software developers can assign a random ID for each file and store the associated metadata separately, for example in a database, instead of using names assigned by users as input. Or, if this is not possible, limit the usable characters in file names to alphanumeric characters, for example. In addition, developers must ensure that uploaded files do not have execution rights. The OWASP also provides further helpful tips.
The authors then repeat the advice to management that was already given in previous secure-by-design warnings. For example, they should take responsibility for the security of their customers through formal code reviews or create transparency by publishing information on security vulnerabilities. At the end of March, the FBI and CISA provided tips on how to prevent SQL injection vulnerabilities. They have played a major role for decades and are still frequently encountered.
(dmk)