June 4, 2024 By Josh Nadeau 3 min read

On May 02, 2024, CISA and the FBI released a Security by Design alert to all software manufacturers and customers regarding an ongoing security vulnerability associated with “directory traversal” (also known as path traversal) in the software design process.

The software industry has already documented directory traversal vulnerabilities in the past, as well as identified practical approaches to eliminate these vulnerabilities entirely over the next two decades. However, many software manufacturers have still not addressed those issues and are continuing to put customers at risk as a result.

What is a directory traversal vulnerability?

Directory traversal vulnerabilities are security flaws that can materialize during software development processes that allow cyberattackers to access specific access files or directories. This happens when unauthorized individuals are able to manipulate user inputs — including file paths and website URLs — to navigate further than an application’s boundaries are intended to be set.

A practical example of a directory traversal vulnerability is when a web user is able to access hosted but unpublished documents from a website by using a series of URL sequences that move up a directory structure and potentially locate and access configuration files that contain private credentials or other sensitive information.

Understanding the danger of directory traversal attacks

Unauthorized access to personally identifiable information (PII) and intellectual property is one of the largest risks associated with directory traversal attacks. However, these vulnerabilities can also lead to much more significant issues for organizations, including compromising or even critically damaging entire systems.

By leveraging directory traversal vulnerabilities, cyber criminals can create backdoors onto hosted servers that allow them to upload and execute malware as well as obtain persistent unauthorized access.

CISA and the FBI have expressed concern over the number of industries that still haven’t addressed these critical vulnerabilities. Critical infrastructure entities that rely on various software systems — including hospitals, schools, power grids and other utility services — are considerably at risk.

Why do these vulnerabilities persist?

Directory traversal vulnerabilities aren’t a discovery, and their significance for software companies has already been well-documented. However, despite this knowledge, several platforms and services have yet to adapt their strategies to adequately address them.

Below are some reasons for this:

Lack of developer awareness and training

Not all software developers are well-trained in secure coding practices. Their lack of experience and understanding makes them more prone to overlooking necessary security protocols in an effort to streamline their development schedules.

Failure to use security validation in the development process

Organizations that apply static analysis testing throughout their DevSecOps workflows are much more likely to identify and address directory traversal vulnerabilities as they occur. Unfortunately, many companies still don’t prioritize the use of continuous testing protocols as part of their development lifecycle, leading to more persistent issues regarding the security integrity of certain systems.

Legacy coding issues

Older software systems and legacy coding practices, including outdated frameworks and libraries, are considerably more vulnerable to directory traversal attacks. Rewriting essential coding can be incredibly time-consuming and resource-intensive, pushing organizations to accept certain risks instead of completing a system overhaul.

Learn more on vulnerability management

How to address directory traversal vulnerabilities

The dangers of directory traversal vulnerabilities impact both software developers and customers alike. Due to this fact, there are some proactive steps both groups should take to help mitigate the risks these vulnerabilities can bring:

Steps for software manufacturers

  • Adopt Secure-by-Design principles: Developers should incorporate security at the outset of their development projects. To do this effectively, organizations should adopt a “secure-by-design” approach, building security into the framework of their architecture rather than addressing it as an afterthought.
  • Execute testing and vulnerability scanning: Developers should use a combination of manual and automated testing protocols throughout the software development lifecycle (SDLC) process and regular vulnerability scans to ensure that their software is as secure as possible.
  • Ensure timely patching: If and when certain vulnerabilities in coding are discovered, software manufacturers need to act quickly to develop and release patches to address them. These patches should be communicated to customers and easily accessible to ensure they can be applied as soon as possible.

Steps for software customers

  • Stay informed and apply updates: Software customers should always follow the advice of their providers and download and install all necessary patches as they become available. These updates often address critical flaws, including directory traversal vulnerabilities, that can lead to a number of data privacy and security issues.
  • Choose reputable vendors: When choosing a software vendor, customers should research the organization’s security readiness. This includes any relevant certifications that the provider maintains and its vulnerability disclosure policies.
  • Implement additional security measures: In addition to relying on vendor updates, customers and business organizations should also take steps to strengthen their own digital security measures to protect themselves. This may include using network firewalls, intrusion detection systems and anti-malware solutions.

Software manufacturers must follow official guidance

The persistence of directory traversal vulnerabilities in modern software systems shows the importance of software manufacturing teams prioritizing addressing critical coding issues. The joint advisory of CISA and the FBI will continue to provide guidance on how these vulnerabilities can be successfully addressed and the best practices organizations should follow for securing their software systems.

More from News

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI).The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous.Meanwhile, the magnitude of the threat…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today