The U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), published a new joint security alert earlier this week, urging software developers to keep path traversal in mind when developing software products.
Path traversal is a software vulnerability also known as directory traversal, or directory climbing. By abusing this flaw, threat actors can access sensitive files and directories. The hole typically arises in web applications or systems that dynamically construct file paths based on user input without properly validating or sanitizing it.
According to the two agencies, path traversal is a “persistent class of defect in software products”, despite it being well-documented and having effective elimination approaches, at scale, for more than two decades.
Demanding action
“Software manufacturers continue to put customers at risk by developing products that allow for directory traversal exploitation,” the alert reads, adding that threat actors are constantly abusing path traversal to target the healthcare and public health sectors.
Right now, CISA has 55 path traversal vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog, signaling in-the-wild abuse.
“Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services, including hospital and school operations,” the alert further states.
“CISA and the FBI urge software manufacturer executives to require their organizations to conduct formal testing (see OWASP testing guidance) to determine their products’ susceptibility to directory traversal vulnerabilities.”
The two agencies also urge all software users to inquire with their partners, if they had conducted formal directory traversal testing.
“Should manufacturers discover their systems lack the appropriate mitigations, they should ensure their software developers immediately implement mitigations to eliminate this entire class of defect from all products. Building security into products from the beginning can eliminate directory traversal vulnerabilities,” the two concluded.
More from TechRadar Pro
SysAid tells customers to patch immediately after Microsoft flags ransomware campaign exploiting new zero-day flawHere’s a list of the best firewalls around todayThese are the best endpoint security tools right now