June 4, 2024 By Josh Nadeau 3 min read

On May 02, 2024, CISA and the FBI released a Security by Design alert to all software manufacturers and customers regarding an ongoing security vulnerability associated with “directory traversal” (also known as path traversal) in the software design process.

The software industry has already documented directory traversal vulnerabilities in the past, as well as identified practical approaches to eliminate these vulnerabilities entirely over the next two decades. However, many software manufacturers have still not addressed those issues and are continuing to put customers at risk as a result.

What is a directory traversal vulnerability?

Directory traversal vulnerabilities are security flaws that can materialize during software development processes that allow cyberattackers to access specific access files or directories. This happens when unauthorized individuals are able to manipulate user inputs — including file paths and website URLs — to navigate further than an application’s boundaries are intended to be set.

A practical example of a directory traversal vulnerability is when a web user is able to access hosted but unpublished documents from a website by using a series of URL sequences that move up a directory structure and potentially locate and access configuration files that contain private credentials or other sensitive information.

Understanding the danger of directory traversal attacks

Unauthorized access to personally identifiable information (PII) and intellectual property is one of the largest risks associated with directory traversal attacks. However, these vulnerabilities can also lead to much more significant issues for organizations, including compromising or even critically damaging entire systems.

By leveraging directory traversal vulnerabilities, cyber criminals can create backdoors onto hosted servers that allow them to upload and execute malware as well as obtain persistent unauthorized access.

CISA and the FBI have expressed concern over the number of industries that still haven’t addressed these critical vulnerabilities. Critical infrastructure entities that rely on various software systems — including hospitals, schools, power grids and other utility services — are considerably at risk.

Why do these vulnerabilities persist?

Directory traversal vulnerabilities aren’t a discovery, and their significance for software companies has already been well-documented. However, despite this knowledge, several platforms and services have yet to adapt their strategies to adequately address them.

Below are some reasons for this:

Lack of developer awareness and training

Not all software developers are well-trained in secure coding practices. Their lack of experience and understanding makes them more prone to overlooking necessary security protocols in an effort to streamline their development schedules.

Failure to use security validation in the development process

Organizations that apply static analysis testing throughout their DevSecOps workflows are much more likely to identify and address directory traversal vulnerabilities as they occur. Unfortunately, many companies still don’t prioritize the use of continuous testing protocols as part of their development lifecycle, leading to more persistent issues regarding the security integrity of certain systems.

Legacy coding issues

Older software systems and legacy coding practices, including outdated frameworks and libraries, are considerably more vulnerable to directory traversal attacks. Rewriting essential coding can be incredibly time-consuming and resource-intensive, pushing organizations to accept certain risks instead of completing a system overhaul.

Learn more on vulnerability management

How to address directory traversal vulnerabilities

The dangers of directory traversal vulnerabilities impact both software developers and customers alike. Due to this fact, there are some proactive steps both groups should take to help mitigate the risks these vulnerabilities can bring:

Steps for software manufacturers

  • Adopt Secure-by-Design principles: Developers should incorporate security at the outset of their development projects. To do this effectively, organizations should adopt a “secure-by-design” approach, building security into the framework of their architecture rather than addressing it as an afterthought.
  • Execute testing and vulnerability scanning: Developers should use a combination of manual and automated testing protocols throughout the software development lifecycle (SDLC) process and regular vulnerability scans to ensure that their software is as secure as possible.
  • Ensure timely patching: If and when certain vulnerabilities in coding are discovered, software manufacturers need to act quickly to develop and release patches to address them. These patches should be communicated to customers and easily accessible to ensure they can be applied as soon as possible.

Steps for software customers

  • Stay informed and apply updates: Software customers should always follow the advice of their providers and download and install all necessary patches as they become available. These updates often address critical flaws, including directory traversal vulnerabilities, that can lead to a number of data privacy and security issues.
  • Choose reputable vendors: When choosing a software vendor, customers should research the organization’s security readiness. This includes any relevant certifications that the provider maintains and its vulnerability disclosure policies.
  • Implement additional security measures: In addition to relying on vendor updates, customers and business organizations should also take steps to strengthen their own digital security measures to protect themselves. This may include using network firewalls, intrusion detection systems and anti-malware solutions.

Software manufacturers must follow official guidance

The persistence of directory traversal vulnerabilities in modern software systems shows the importance of software manufacturing teams prioritizing addressing critical coding issues. The joint advisory of CISA and the FBI will continue to provide guidance on how these vulnerabilities can be successfully addressed and the best practices organizations should follow for securing their software systems.

More from News

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

3,000 “ghost accounts” on GitHub spreading malware

3 min read - In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts. A highly effective malware campaign Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that…

Warren Buffett’s warning highlights growing risk of cyber insurance losses

3 min read - The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.As noted by the Fitch Ratings report, "segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward." While this is good news for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today