Hackers Exploit Path Traversal: Prevent Pre-Release Flaws

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have urged software developers to more proactively identify and remedy path traversal vulnerabilities before releasing products to the market. Such flaws enable malicious actors to create or overwrite critical files, compromising authentication mechanisms and leading to remote code execution.

The agencies emphasize that these vulnerabilities arise from insufficient protection by technology manufacturers, who fail to consider user-provided data as potentially malicious. These vulnerabilities could grant hackers access to sensitive information, including credentials, which may be exploited in brute-force attacks.

The persistence of these vulnerabilities, known for years as “inexcusable” yet still prevalent, is underscored by research into the vulnerability classes CWE-22 and CWE-23.

The FBI and CISA have recommended that developers implement established precautionary measures, including:

• Generating a random identifier for each file while storing related metadata separately from the file name;
• Limiting the types of characters that can be used in file names;
• Ensuring that uploaded files do not have execution permissions.

This warning was prompted by recent attacks on critical infrastructure, including the healthcare and public health sectors, where attackers exploited directory traversal vulnerabilities to carry out their campaigns, such as those using the ScreenConnect CVE-2024-1708 vulnerability.

Directory traversal vulnerabilities ranked eighth in MITRE’s list of the top 25 most dangerous software vulnerabilities, trailing threats such as out-of-bounds errors, cross-site scripting (XSS), and SQL injections.