The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a new joint security alert earlier this week, urging software developers to consider path traversal when developing software products.
Path traversal is a software vulnerability also called directory traversal or directory climbing. Exploiting this flaw can allow threat actors to gain access to sensitive files and folders. The hole usually arises in web applications or systems that dynamically construct file paths based on user input without properly validating or sanitizing them.
According to the two agencies, path traversal is a “persistent class of defects in software products,” despite being well documented and having effective elimination approaches at scale for more than two decades.
Demanding action
“Software manufacturers continue to put customers at risk by developing products that enable directory traversal abuse,” the warning reads, adding that threat actors continue to abuse path traversal to target the healthcare and public health sectors.
Currently, CISA has 55 Path Traversal vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog that indicate exploitation in the wild.
“There are approaches to prevent directory crawl vulnerabilities, but threat actors continue to exploit these vulnerabilities that have affected the operation of critical services, including hospital and school operations,” the alert said.
“CISA and the FBI urge software manufacturer executives to require their organizations to conduct formal testing (see OWASP testing guidelines) to determine the susceptibility of their products to directory traversal vulnerabilities.”
The two agencies also urge all software users to check with their partners to see if they have conducted formal directory traversal testing.
“If manufacturers discover that their systems do not have the right solutions, they must ensure that their software developers immediately implement measures to eliminate this entire class of defects from all products. Building security into products from the start can eliminate directory traversal vulnerabilities,” the two concluded.