CISA & FBI Release Urges Developers to Eliminate Directory Traversal Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint Secure by Design Alert, calling on software developers and industry executives to intensify their efforts in eliminating directory traversal vulnerabilities within their products.

This move comes in response to a series of high-profile cyber-attacks that have exploited these vulnerabilities, notably CVE-2024-1708 and CVE-2024-20345, leading to significant disruptions across critical infrastructure sectors, including healthcare and public education.

Directory traversal, also known as path traversal, represents a critical security flaw that allows attackers to access restricted directories and execute commands outside of a web server’s root directory.

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Despite being a well-documented issue for over two decades, with comprehensive mitigation strategies readily available, the persistence of these vulnerabilities in new and existing software products continues to pose a significant risk to global cybersecurity.

Recent threat actor campaigns leveraging directory traversal vulnerabilities have underscored the urgent need for a more proactive approach to software security.

Exploiting these vulnerabilities has not only compromised sensitive information. Still, it has also disrupted essential services, including hospital operations and educational institutions, underscoring the potential for widespread impact on public safety and well-being.

CISA and FBI’s Call to Action

In their Secure by Design Alert, CISA and the FBI have outlined several key recommendations for software manufacturers and their customers.

For manufacturers, the agencies emphasize the importance of conducting formal testing, per the OWASP testing guidance, to assess their products’ susceptibility to directory traversal vulnerabilities.

Additionally, they are urged to develop and publish a secure design roadmap, demonstrating their commitment to prioritizing security in their development processes.

The alert advises customers to inquire about the security testing practices of their software providers, encouraging a culture of transparency and accountability in the industry.

With the CISA currently listing 55 directory traversal vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, the joint alert serves as a critical reminder of the ongoing challenges in securing software against cyber threats.

The collaboration between CISA and the FBI highlights the importance of a unified approach to cybersecurity, emphasizing the role of industry-wide cooperation in addressing and mitigating these vulnerabilities.

By adhering to the recommendations outlined in the Secure by Design Alert, software manufacturers, and their customers can contribute to a significant reduction in the risk of cyber-attacks, ensuring the protection of critical infrastructure and the safety of the public.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.