May 3, 2024 at 09:10AM
CISA and the FBI issued a Secure by Design Alert about path traversal software vulnerabilities targeting critical infrastructure. These flaws enable unauthorized access to application files and directories, allowing threat actors to compromise systems. Urging organizations to eliminate these defects, the agencies emphasize a secure software development lifecycle and suggest mitigations provided by OWASP.
Based on the meeting notes, the key takeaways are:
1. CISA and the FBI issued a Secure by Design Alert about path traversal software vulnerabilities being exploited in attacks targeting critical infrastructure entities.
2. Path traversal flaws allow threat actors to manipulate files, access sensitive data, and potentially compromise systems.
3. The two recent vulnerabilities exploited impact ConnectWise ScreenConnect (CVE-2024-1708) and Cisco AppDynamics Controller (CVE-2024-20345).
4. CISA and the FBI are urging organizations to ensure their software developers eliminate this class of security defects and listed 55 path traversal flaws in its Known Exploited Vulnerabilities (KEV) Catalog.
5. A secure by design software development lifecycle is crucial for eliminating security holes, including path traversal flaws, and organizations should incorporate risk mitigation from the design phase through product release and updates.
6. Known and effective mitigations include using random identifiers for files, storing metadata separately, limiting the number of characters in file names, and ensuring that uploaded files do not have execution permissions.
7. Organizations should test products against path traversal bugs and adhere to the principles of the secure by design guidance published in October 2023.
8. Fully implementing secure by design principles and practices can protect customers from a wide range of malicious attacks, and manufacturers are urged to publish their own secure by design roadmap.
These takeaways highlight the importance of addressing path traversal flaws and implementing secure by design principles to protect software and systems from exploitation.