The advisory noted that despite approaches to avoid directory traversal vulnerabilities being readily available, their exploitation by threat actors is still on the rise, especially to impact critical services including hospital and school operations.
The prevalence of such vulnerabilities is apparent through CISA’s current listing of 58 path traversal vulnerabilities in its known exploited vulnerabilities (KEV) catalog.
Mitigations include auto-indexing or type limitation in file names
The advisory encourages developers to use “well-known and effective mitigations” to help prevent directory traversal vulnerabilities. These include generating an identifier for each file and storing associated metadata separately, and if that’s not possible, limiting the type of characters that can be supplied in the file names.
CISA pointed out that the above steps can also be applied in the case of cloud services, as they too are affected by these vulnerabilities, in conjunction with other known best approaches.
“CISA and FBI encourage manufacturers to learn how to protect their products from falling victim to these exploits and other preventable malicious activities in accordance to three advised principles,” the advisory added.
These principles include taking ownership of customer security outcomes, embracing transparency and accountability, and deploying organizational structure and leadership to achieve these goals.