CISA warns about directory traversal vulnerabilities

On May 02, 2024, CISA and the FBI released a Security by Design alert to all software manufacturers and customers regarding an ongoing security vulnerability associated with “directory traversal” (also known as path traversal) in the software design process.

The software industry has already documented directory traversal vulnerabilities in the past, as well as identified practical approaches to eliminate these vulnerabilities entirely over the next two decades. However, many software manufacturers have still not addressed those issues and are continuing to put customers at risk as a result.

Directory traversal vulnerabilities are security flaws that can materialize during software development processes that allow cyberattackers to access specific access files or directories. This happens when unauthorized individuals are able to manipulate user inputs — including file paths and website URLs — to navigate further than an application’s boundaries are intended to be set.

A practical example of a directory traversal vulnerability is when a web user is able to access hosted but unpublished documents from a website by using a series of URL sequences that move up a directory structure and potentially locate and access configuration files that contain private credentials or other sensitive information.

Unauthorized access to personally identifiable information (PII) and intellectual property is one of the largest risks associated with directory traversal attacks. However, these vulnerabilities can also lead to much more significant issues for organizations, including compromising or even critically damaging entire systems.

By leveraging directory traversal vulnerabilities, cyber criminals can create backdoors onto hosted servers that allow them to upload and execute malware as well as obtain persistent unauthorized access.

CISA and the FBI have expressed concern over the number of industries that still haven’t addressed these critical vulnerabilities. Critical infrastructure entities that rely on various software systems — including hospitals, schools, power grids and other utility services — are considerably at risk.

Directory traversal vulnerabilities aren’t a discovery, and their significance for software companies has already been well-documented. However, despite this knowledge, several platforms and services have yet to adapt their strategies to adequately address them.

Below are some reasons for this:

Not all software developers are well-trained in secure coding practices. Their lack of experience and understanding makes them more prone to overlooking necessary security protocols in an effort to streamline their development schedules.

Organizations that apply static analysis testing throughout their DevSecOps workflows are much more likely to identify and address directory traversal vulnerabilities as they occur. Unfortunately, many companies still don’t prioritize the use of continuous testing protocols as part of their development lifecycle, leading to more persistent issues regarding the security integrity of certain systems.

Older software systems and legacy coding practices, including outdated frameworks and libraries, are considerably more vulnerable to directory traversal attacks. Rewriting essential coding can be incredibly time-consuming and resource-intensive, pushing organizations to accept certain risks instead of completing a system overhaul.

The dangers of directory traversal vulnerabilities impact both software developers and customers alike. Due to this fact, there are some proactive steps both groups should take to help mitigate the risks these vulnerabilities can bring:

• Adopt Secure-by-Design principles: Developers should incorporate security at the outset of their development projects. To do this effectively, organizations should adopt a “secure-by-design” approach, building security into the framework of their architecture rather than addressing it as an afterthought.
• Execute testing and vulnerability scanning: Developers should use a combination of manual and automated testing protocols throughout the software development lifecycle (SDLC) process and regular vulnerability scans to ensure that their software is as secure as possible.
• Ensure timely patching: If and when certain vulnerabilities in coding are discovered, software manufacturers need to act quickly to develop and release patches to address them. These patches should be communicated to customers and easily accessible to ensure they can be applied as soon as possible.

• Stay informed and apply updates: Software customers should always follow the advice of their providers and download and install all necessary patches as they become available. These updates often address critical flaws, including directory traversal vulnerabilities, that can lead to a number of data privacy and security issues.
• Choose reputable vendors: When choosing a software vendor, customers should research the organization’s security readiness. This includes any relevant certifications that the provider maintains and its vulnerability disclosure policies.
• Implement additional security measures: In addition to relying on vendor updates, customers and business organizations should also take steps to strengthen their own digital security measures to protect themselves. This may include using network firewalls, intrusion detection systems and anti-malware solutions.

The persistence of directory traversal vulnerabilities in modern software systems shows the importance of software manufacturing teams prioritizing addressing critical coding issues. The joint advisory of CISA and the FBI will continue to provide guidance on how these vulnerabilities can be successfully addressed and the best practices organizations should follow for securing their software systems.