Path traversal vulnerabilities have been ‘unforgivable’ for decades — developers still haven’t got the message

Software security concept image of path traversal vulnerabilities showing binary code with errors.
(Image credit: Getty Images)

A common security failure that has been considered ‘unforgivable’ for more than two decades is still allowing attackers to compromise vulnerable systems.

Directory traversal — or path traversal — flaws remain a persistent problem, even though the vulnerabilities have been long documented and there are ways to eliminate them.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have now issued an alert about the problem of directory traversal flaws, which they said is in response to recent incidents which saw attackers exploit directory traversal vulnerabilities to target healthcare organizations.

“Software manufacturers continue to put customers at risk by developing products that allow for directory traversal exploitation,” the agencies said.

CISA said there were 55 directory traversal vulnerabilities currently listed in its Known Exploited Vulnerabilities (KEV) catalog.

The agencies highlighted two recent examples, including CVE-2024-1708, a path traversal vulnerability found in ConnectWise ScreenConnect 23.9.7 and prior versions.

This flaw could have allowed an attacker to execute remote code or directly impact confidential data or critical systems.

The second was CVE-2024-20345, a vulnerability in the file upload functionality of Cisco AppDynamics Controller could allow an authenticated, remote attacker to conduct directory traversal attacks on an affected device.

CISA and the FBI said software company execs should make sure testing is carried out to see if their products contain similar flaws, and advised customers to ask vendors if they have conducted robust testing.

“Should manufacturers discover their systems lack the appropriate mitigations, they should ensure their software developers immediately implement mitigations to eliminate this entire class of defect from all products,” the agencies said. The easiest way to prevent such problems is to build security into products from the beginning.

The agencies noted that vulnerabilities like directory traversal were called 'unforgivable’ as long ago as 2007 by Mitre.

In the original Mitre paper, flaws qualified as unforgivable if they were well-known, well documented, obvious, easy to use in an attack and could be found with five minutes of a code review or manual testing.

“If a vulnerability discovery seems to match all five criteria, then it is highly suggestive of the developer’s lack of security awareness… combined with a lack of security testing,” the original paper said.

What are path traversal vulnerabilities anyway?

These flaws allow users to change elements like input parameters or file paths to access application files and directories that the developer did not intend them to. 

That might seem trivial, but according to CISA and the FBI, the impact can be devastating.

“These exploits can allow malicious cyber actors to access restricted directories and depending on the scenario, read, modify, or write arbitrary files. Exploitation of a directory traversal vulnerability may expose sensitive data and/or allow actors to further pivot and compromise systems,” they said.

These flaws exist when developers fail to treat user supplied content as potentially malicious.

“All but the most simple web applications have to include local resources, such as images, themes, other scripts, and so on. Every time a resource or file is included by the application, there is a risk that an attacker may be able to include a file or remote resource you didn’t authorize,” warns the Open Worldwide Application Security Project (OWASP), a nonprofit tech security foundation, in its explanation of the flaws.

How can developers stop path traversal vulnerabilities?

Developers should consider generating a random identifier for each file and storing associated metadata separately – such as in a database – instead of using user input when naming files. 

Alternatively, developers should set a strict limit on the types of characters that can be supplied in file names and should also ensure that uploaded files do not have executable permissions.

And it’s worth remembering that directory traversal vulnerabilities aren’t just a problem for legacy software. They can also affect cloud services, which means software vendors also need to use these approaches when building for the cloud.

Where do we go from here?

More broadly, the FBI and CISA said software companies should consider adopting a secure-by-design approach to development.

RELATED WHITEPAPER

“There are key security areas manufacturers should invest in to protect their customers as well as the public. These include providing safe building blocks for their software developers to ensure that a single developer error does not compromise the data of millions of users,” they said.

The old cycle of relying on customers or security companies to find vulnerabilities and patching them is not an effective approach to security, they argued. Ways to prevent classes of vulnerabilities already exist, so software developers should implement them as early in the development cycle as possible.

The agencies said software company execs should continually conduct reviews to detect common and well-known vulnerabilities, as some flaws may change or develop over time.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.