CISA, FBI urge developers to patch path traversal bugs before shipping
- by nlqip
The advisory noted that despite approaches to avoid directory traversal vulnerabilities being readily available, their exploitation by threat actors is still on the rise, especially to impact critical services including hospital and school operations.
The prevalence of such vulnerabilities is apparent through CISA’s current listing of 58 path traversal vulnerabilities in its known exploited vulnerabilities (KEV) catalog.
Mitigations include auto-indexing or type limitation in file names
The advisory encourages developers to use “well-known and effective mitigations” to help prevent directory traversal vulnerabilities. These include generating an identifier for each file and storing associated metadata separately, and if that’s not possible, limiting the type of characters that can be supplied in the file names.
CISA pointed out that the above steps can also be applied in the case of cloud services, as they too are affected by these vulnerabilities, in conjunction with other known best approaches.
“CISA and FBI encourage manufacturers to learn how to protect their products from falling victim to these exploits and other preventable malicious activities in accordance to three advised principles,” the advisory added.
These principles include taking ownership of customer security outcomes, embracing transparency and accountability, and deploying organizational structure and leadership to achieve these goals.
Source link
lol
The advisory noted that despite approaches to avoid directory traversal vulnerabilities being readily available, their exploitation by threat actors is still on the rise, especially to impact critical services including hospital and school operations. The prevalence of such vulnerabilities is apparent through CISA’s current listing of 58 path traversal vulnerabilities in its known exploited vulnerabilities…
Recent Posts
- Hackers abuse Avast anti-rootkit driver to disable defenses
- Microsoft testing Windows 11 support for third-party passkeys
- Windows 11 24H2 update blocked on PCs with Assassin’s Creed, Star Wars Outlaws
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day