CISA says 'no more' to decades-old directory traversal bugs

CISA is calling on the software industry to stamp out directory traversal vulnerabilities following recent high-profile exploits of the 20-year-old class of bugs.

As part of its long-running series of alerts that promote secure-by-design practices in software, the US cybersecurity agency bemoaned the fact these vulnerabilities exist, despite approaches to eliminate them being established for over two decades.

Directory traversals see users manipulating inputs to gain access to data, sometimes with read and write privileges. Successful exploits can lead to the theft of sensitive data and the wider compromise of systems, CISA said.

"Directory traversal exploits succeed because technology manufacturers fail to treat user-supplied content as potentially malicious, hence failing to adequately protect their customers."

CISA cited the recent maximum-severity vulnerability in ConnectWise's ScreenConnect remote access software (CVE-2024-1708), which researchers described as "embarrassingly easy to exploit."

Another example referenced in the alert was a similar path traversal flaw affecting Cisco AppDynamics Controller (CVE-2024-20345), which flew a little under the radar with a modest 6.5 "medium" severity score back in March.

Despite only 55 of the total 1,104 vulnerabilities in CISA's Known Exploited Vulnerabilities (KEV) catalog being classed as directory traversals, the threat they present is heightened given the organizations they're targeting.

The security agency warned these vulnerabilities are being used in attacks on the software used by critical infrastructure organizations including the healthcare industry. The threat is especially acute given that this class of bug can also affect cloud services.

"Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services, including hospital and school operations," the alert [PDF] reads.

• Dump C++ and in Rust you should trust, Five Eyes agencies urge
• UK lays down fresh legislation banning crummy default device passwords
• Exploiting the latest max-severity ConnectWise bug is 'embarrassingly easy'
• Target Silicon Valley: Why A View to a Kill actually made sense

"CISA and the FBI urge software manufacturer executives to require their organizations to conduct formal testing to determine their products' susceptibility to directory traversal vulnerabilities."

CISA pointed to two "well-known and effective mitigations" to directory traversal vulnerabilities that should be implemented to prevent attacks on the nation's most critical institutions.

• Instead of relying on user input when naming files, developers should consider using a random identifier for each file and storing the associated metadata separately

• If developers choose not to use this approach, they should limit the types of characters that can be supplied in file names to alphanumeric ones, for example. Removing executable permission from any uploaded files is also recommended

Eliminating directory traversal bugs is just one step towards achieving a truly secure-by-design approach to software. Previous alerts have focused on other areas such as eliminating default passwords, like the UK recently did, and the elimination of SQL injection vulnerabilities.

The agency, along with the other Five Eyes powers, has also long called for an end to the use of memory-unsafe languages, suggesting developers move away from old reliables such as C and C++ to more inherently secure alternatives. ®