The Cybersecurity Infrastructure and Security Agency (CISA) and 17 international partners are encouraging a Secure By Design approach to digital product development. Secure By Design is a broad yet unregulated push for developers to only release software in a configured secure state by default, instead of prioritizing usability which would force the user to enable security features after installation. As development teams struggle to keep up pace with their demands, they may appreciate when software is released such that it can be deployed quickly and easily, but this puts security in the backseat.
Secure By Design also encourages developers to use a "Shift Left" approach; implementing application security testing throughout the software development life cycle (SDLC), to identify common software weaknesses before they are pushed to market. Contrastingly, the EU has enacted the Cyber Resilience Act (CRA). The CRA is a formal legal requirement set to enforce responsible design of digital products, except with formal punishments for vendors that violate the rules.
In this article, we will take a look at the topic of a recent Secure By Design alert from CISA: directory traversal flaws. We will review how this flaw manifests in software, and how attackers can exploit it for their own benefit to compromise the systems of victim's who use software containing directory traversal flaws.
Directory traversal flaws, a subset of path traversal flaws, are a form of broken access controls. They occur when an attacker is able to access files that should be out of scope of an application by manipulating file path inputs. Directory traversal flaws (and path traversal flaws) can exist in desktop, mobile, and web applications. These vulnerabilities allow attackers to exploit poorly sanitized user input to access sensitive files such as configuration files, password files, or system data without authorization. Reading this sensitive data can allow attackers to further exploit systems via stolen credentials, privilege escalation, or lateral movement within a network to compromise adjacent systems.
In some cases, directory traversal flaws may allow an attacker to write to existing files, changing their contents to enable insecure configuration settings, create malicious accounts, or even encrypt files for ransom or destroy valuable files. In other cases, directory traversal flaws may allow an attacker to save uploaded files to unintended locations, or if user input is used to specify a file to execute, directory traversal flaws may allow a user to execute unintended system commands.
The terms "directory traversal" and "path traversal" are often used interchangeably, but they have subtle distinctions. Both enable attackers to access restricted resources but differ in their technical context.
Path traversal typically refers to any vulnerability involving unauthorized path navigation, while directory traversal specifically involves navigating outside the root directory using sequences like "../". Therefore, path traversal is a broader term that includes any manipulation of file paths in an attempt to access unauthorized files or directories. Path traversal flaws may allow an attacker to access files via network access since URLs are included in the definition of a path.
Directory traversal flaws occur when applications allow local files to be specified with user input, and in some other conditions when user input can be used to access local files. In a typical attack, a malicious actor submits input that includes a specially crafted file path often involving sequences like "../" or "../../" (parent directory). If the targeted application does not correctly sanitize the input, this sequence can cause it to access areas of the file system that should be restricted.
For example, if a web application accepts a user-provided file name to display, an attacker could modify the file name to something like ../../etc/passwd on a Unix system, tricking the server into revealing sensitive information from the system’s password file.
A search of CISA's catalog of Known Exploited Vulnerabilities (KEV) shows that attackers are exploiting directory traversal flaws in recent months. This is likely the trigger for CISA's guidance to eliminate directory traversal flaws. Below are some of the vulnerabilities that are known to be leveraged by attackers in recent months, many having publicly available proof of concept (PoC) exploit code. Users of these applications should update their software to prevent becoming the victim of cyber attacks.
CVE-2024-8963 in Ivanti Cloud Services Appliance (CSA)
CVE-2024-7262 in Kingsoft WPS Office
CVE-2021-20123 in Draytek VigorConnect
CVE-2024-23897 in Jenkins Command Line Interface (CLI)
CVE-2024-32113 in Apache OFBiz Path Traversal Vulnerability
CVE-2024-28995 in SolarWinds Serv-U
Directory traversal flaws remain a significant threat to software security, as demonstrated by CISA’s recent alert emphasizing their dangers. These vulnerabilities, often stemming from improper path validation or input sanitization, enable attackers to access files outside the intended directories and potentially compromise entire systems.
While "Secure By Design" is a valuable principle, ensuring its application in real-world software remains a challenge. Understanding the different forms of path traversal and their impact is essential for development teams aiming to deliver secure software products. Staying informed and vigilant is critical to defending against these types of exploits.
Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.