CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly issued a Secure by Design Alert in response to recent hacker campaigns exploiting directory traversal vulnerabilities in software like CVE-2024-1708 and CVE-2024-20345. These vulnerabilities have been used to compromise software users, impacting critical infrastructure sectors, such as healthcare and public health.
Titled, ‘Eliminating Directory Traversal Vulnerabilities in Software,’ the alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog. Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services, including hospital and school operations.
The CISA-FBI secure by design alert lays down three principles: taking ownership of customer security outcomes; embracing radical transparency and accountability; and building organizational structure and leadership to achieve these goals.
CISA and the FBI urge software manufacturer executives to require their organizations to conduct formal testing to determine their products’ susceptibility to directory traversal vulnerabilities. They also recommend that software customers ask manufacturers whether they have conducted formal directory traversal testing. Should manufacturers discover their systems lack the appropriate mitigations, they should ensure their software developers immediately implement mitigations to eliminate this entire class of defect from all products. Building security into products from the beginning can eliminate directory traversal vulnerabilities.
The alert identified that the software industry has documented directory traversal vulnerabilities, along with effective approaches to eliminate these vulnerabilities at scale, for over two decades. Yet software manufacturers continue to put customers at risk by developing products that allow for directory traversal exploitation. The agencies identified that directory traversal exploits succeed because technology manufacturers fail to treat user-supplied content as potentially malicious, hence failing to adequately protect their customers.
Directory traversal vulnerabilities involve a user manipulating inputs (i.e., input parameters or file paths) to illicitly access application files and directories that the developer did not intend for users to access. The impact can be devastating as these exploits can allow malicious cyber actors to access restricted directories, depending on the scenario, read, modify, or write arbitrary files. Exploitation of a directory traversal vulnerability may expose sensitive data and/or allow actors to further pivot and compromise systems.
During the design and development of a software product, developers should implement effective mitigations to help prevent directory traversal vulnerabilities including considering generating a random identifier for each file and storing associated metadata separately (e.g., in a database) rather than using user input when naming files. In the case where the above approach is not taken, strictly limit the types of characters that can be supplied in file names, e.g., by restricting to alphanumeric characters. Also, ensure that uploaded files do not have executable permissions.
Furthermore, the alert pointed out that software manufacturers should implement the above guidance, or other known best approaches, to prevent directory traversal vulnerabilities in cloud systems. Additionally, CISA and the FBI encourage manufacturers to learn how to protect their products from falling victim to directory traversal exploits and other preventable malicious activity by reviewing the three principles laid out in the joint guidance ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.’
When it comes to taking ownership of customer security outcomes, the alert identified that there are key security areas manufacturers should invest in to protect their customers as well as the public. “These include providing safe building blocks for their software developers to ensure that a single developer error does not compromise the data of millions of users. The cycle of vulnerability detection, mitigation, and patch deployment for vulnerabilities that have been understood for years is not a lasting approach to security. Effective mechanisms to prevent classes of vulnerabilities at scale are available and software manufacturers should implement them as early in the development cycle as possible.”
Adopting standard best practices can help software manufacturers to root out directory traversal vulnerabilities at the source, as opposed to relying on customers to apply fixes. Manufacturers should also implement audit mechanisms through automation to measure developer compliance with these best practices.
Additionally, senior executives at software manufacturers must take accountability for the security of their customers starting by creating a governance structure for technical staff to conduct formal testing and code review to determine their susceptibility to exploitation. OWASP and other trusted entities provide guidance on testing methods with readily available techniques. Manufacturers and developers should take ownership of securing products and eliminate this class of vulnerability.
Manufacturers should lead with transparency when disclosing product vulnerabilities. To that end, manufacturers should track the classes of vulnerability associated with their software and disclose them to their customers via the CVE program. Manufacturers should ensure that their CVE records are correct and complete. It is especially important that manufacturers supply an accurate CWE so the industry can track classes of software defect, not just individual CVEs, and customers can understand areas where a given vendor’s development practices may require improvement.
As such, manufacturers should identify and document the root causes of directory traversal vulnerabilities and declare it a business goal to work toward eliminating the entire class of vulnerability. Software manufacturers should also maintain a modern vulnerability disclosure program (VDP).
The alert also identified that executives should lead programs to root out entire classes of vulnerability rather than addressing them on a case-by-case basis. Additionally, executives should establish organizational structures that prioritize proactive measures, such as adopting standard best practices, to root out directory traversal vulnerabilities at the source.
Executives should also ensure their organization conducts reviews to detect common and well-known vulnerabilities, like directory traversal, to determine their susceptibility, and implement the existing effective and documented mitigations. These reviews should be continually conducted to root out classes of vulnerability, as some vulnerabilities may change or develop over time. Executives should request regular updates to assess the company’s progress at identifying recurring classes of vulnerability as well as progress to eliminate them and lend support to provide appropriate resources to continue such progress.
In conclusion, the alert highlights that although it focuses on approaches to mitigate directory traversals as a class of defect, it is just one part of a more comprehensive set of secure by design practices. To protect their customers from a wide range of malicious cyber activity, manufacturers should fully implement the principles and practices touched upon in this alert. Further, CISA and the FBI urged manufacturers to publish their own secure by design roadmap to demonstrate that they are not simply implementing tactical controls but are strategically rethinking their responsibility in keeping customers safe.
Related
