Path traversal vulnerability elimination in software sought by feds | SC Media

Software firms have been urged by the FBI and Cybersecurity and Infrastructure Security Agency to ensure the absence of path traversal or directory traversal vulnerabilities in their products prior to shipping, BleepingComputer reports.

Mitigating such flaws, which could be exploited to facilitate code execution and authentication bypass, could be achieved through random identifier generation for files and separate metadata storage, character restrictions in file names, and removing executable permissions in uploaded files, said the agencies in a joint advisory.

Such an alert has been issued following separate attack campaigns exploiting directory traversal bugs, tracked CVE-2024-1708 and CVE-2024-20345, to compromise U.S. critical infrastructure organizations.

“Directory traversal exploits succeed because technology manufacturers fail to treat user supplied content as potentially malicious, hence failing to adequately protect their customers. Vulnerabilities like directory traversal have been called ‘unforgivable’ since at least 2007. Despite this finding, directory traversal vulnerabilities (such as CWE-22 and CWE-23) are still prevalent classes of vulnerability,” said the agencies.

The state-sponsored group is exploiting weak DMARC policies to impersonate legitimate domains.

Sophos X-Ops discovers a curious backdoored (and signed) executable, masquerading as something else entirely.

The U.S. Department of Justice announced the arrest of former cybersecurity consultant Vincent Cannady, who allegedly extorted $1.5 million from a New York-based multinational IT infrastructure services provider where he was assigned by a staffing company to address possible network security issues, reports BleepingComputer.

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.

Copyright © 2024 CyberRisk Alliance, LLC All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed
in any form without prior authorization.

Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.