CISA and the FBI are calling for urgent measures to protect the code.
CISA and the FBI called on software developers to more actively identify and eliminate path traversal vulnerabilities before releasing products to the market. Such flaws allow an attacker to create or overwrite critical files, which violates authentication mechanisms and leads to remote code execution.
Agencies emphasize that such actions become possible due to insufficient protection on the part of technology manufacturers, who do not consider the data provided by users as potentially malicious. These vulnerabilities can give hackers access to confidential information, including credentials, which can then be used for brute-force attacks.
The problem is compounded by the fact that such vulnerabilities have been known as "unforgivable" for many years, but despite this, they are still widespread, as confirmed by studies of the CWE-22 and CWE-23 vulnerability classes.
The FBI and CISA recommended that developers take proven precautions, including:
The reason for this warning was recent attacks on critical infrastructure, including in the health and public health sectors, where attackers used directory navigation vulnerabilities to implement their campaigns. For example, in attacks using the ScreenConnect vulnerability CVE-2024-1708.
Directory traversal vulnerabilities ranked 8th in the MITRE ranking of the 25 most dangerous software vulnerabilities, behind threats such as out-of-bounds, cross - site scripting (XSS), and SQL injection.
CISA and the FBI called on software developers to more actively identify and eliminate path traversal vulnerabilities before releasing products to the market. Such flaws allow an attacker to create or overwrite critical files, which violates authentication mechanisms and leads to remote code execution.
Agencies emphasize that such actions become possible due to insufficient protection on the part of technology manufacturers, who do not consider the data provided by users as potentially malicious. These vulnerabilities can give hackers access to confidential information, including credentials, which can then be used for brute-force attacks.
The problem is compounded by the fact that such vulnerabilities have been known as "unforgivable" for many years, but despite this, they are still widespread, as confirmed by studies of the CWE-22 and CWE-23 vulnerability classes.
The FBI and CISA recommended that developers take proven precautions, including:
- generate a random ID for each file and store the associated metadata separately from the file name;
- limiting the types of characters that can be used in file names;
- ensuring that uploaded files do not have execution rights.
The reason for this warning was recent attacks on critical infrastructure, including in the health and public health sectors, where attackers used directory navigation vulnerabilities to implement their campaigns. For example, in attacks using the ScreenConnect vulnerability CVE-2024-1708.
Directory traversal vulnerabilities ranked 8th in the MITRE ranking of the 25 most dangerous software vulnerabilities, behind threats such as out-of-bounds, cross - site scripting (XSS), and SQL injection.
