The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently issued a significant Secure by Design Alert, spotlighting the ongoing exploitation of path traversal, or directory traversal, vulnerabilities in software. These vulnerabilities, which involve exploiting software’s file path handling to access restricted data, have been known for over two decades but remain a severe threat, particularly to critical infrastructure sectors such as healthcare and energy.

This alert was triggered by recent attacks that utilized specific vulnerabilities, namely CVE-2024-1708 and CVE-2024-20345, targeting software used by critical infrastructure. CISA and the FBI are now emphasizing the necessity of a design approach to software development that integrates strict security measures from the initial inception and design phase through to the product release and updates, aiming to mitigate these vulnerabilities.

Why it matters: Path traversal vulnerabilities, though well-documented and understood, remain a significant threat to software security. Their persistence endangers critical systems and sensitive data and underscores systemic flaws in software development practices. Addressing these vulnerabilities is essential for safeguarding national security and public safety, as well as preserving the integrity and trust in the digital infrastructure that modern society heavily depends on.

• Recent Exploits and Responses: The exploitation of vulnerabilities in ConnectWise ScreenConnect and Cisco AppDynamics Controller has prompted a renewed emphasis on eliminating such flaws through Secure by Design practices, which focus on building security into software from the ground up.

• Effective Mitigation Strategies: CISA and the FBI advocate for implementing several well-known mitigation strategies, including random identifiers for files, storing metadata separately, and ensuring uploaded files do not have execution permissions.

• Testing and Compliance: The agencies also stress the importance of formal testing to assess products’ susceptibility to these vulnerabilities. With 55 path traversal flaws currently listed in the KEV Catalog, the push for improved security measures is more urgent than ever.

Go Deeper -> CISA, FBI Urge Organizations to Eliminate Path Traversal Vulnerabilities – Security Week

FBI and CISA Tell Devs to Crack Down on Security Issues Before Releasing – Tech Radar