2023.11 - Adobe ColdFusion

Adobe ColdFusion Multiple vulnerability

1. Overview :

Adobe ColdFusion is a web application development platform provided by Adobe. This summary compiles the analysis of recently discovered remote code execution (RCE) vulnerabilities on this platform, namely CVE-2023-26360, CVE-2023-26361, CVE-2023-29298, and CVE-2023-38205.

2. Attack Types :

Adobe announced patches for vulnerabilities discovered in Adobe ColdFusion 2018 15 and 2021 5 versions in March of this year.

These vulnerabilities included two instances of Remote Code Execution (RCE) vulnerabilities caused by unsafe deserialization and one vulnerability allowing directory traversal for reading arbitrary files. Adobe addressed the unsafe deserialization vulnerability, CVE-2023-26360, with a patch.

1) CVE-2023-26360

Initially, this vulnerability was announced as CVE-2023-26359 and CVE-2023-26360, but subsequent analysis revealed that both vulnerabilities shared the same underlying issue, leading to a unified analysis.

This vulnerability occurs when sending a request to the .cfc endpoint of the Adobe ColdFusion service with the _cfclient parameter set to true, allowing serialized data to insert arbitrary file paths for execution. There are two attack methods:

• Storing a malicious Java class file (with extensions like .txt, .tmp, .cfc, etc.) in a location accessible to the Adobe ColdFusion installation directory and then accessing and executing the malicious Java class file.
• Injecting CFML tags containing malicious commands into existing files such as log files and enticing access to and execution of the malicious code within those files.

2) CVE-2023-26361

This vulnerability in the Adobe ColdFusion service allows reading arbitrary system files beyond the restricted directory scope. Although it does not require user interaction, it does necessitate administrative privileges.

Typically, this vulnerability is exploited in conjunction with CVE-2023-26360 by leveraging the "../" string to access files beyond the restricted directory scope.

3) CVE-2023-29298

Discovered after the March patch for Adobe ColdFusion this year, CVE-2023-29298 is an access control bypass vulnerability. Adobe announced a patch for this vulnerability in July this year.

By appending a "/" character to specific IP-restricted paths in Adobe ColdFusion, an attacker can bypass access control and gain access to the ColdFusion Administrator interface. Through this interface, sensitive information can be leaked, or an Admin account can be compromised via brute-force attacks.

This vulnerability can also be exploited in conjunction with CVE-2023-26360 to read arbitrary files within the server or execute malicious code.

4) CVE-2023-38205

This vulnerability, identified in July of this year, circumvents the patch for the Adobe ColdFusion CVE-2023-29298 vulnerability. It exploits shortcomings in the CVE-2023-29298 patch to bypass access controls.

Adobe addressed the CVE-2023-29298 vulnerability by adding methods to remove characters such as ".." or "/" from paths. Specifically, if the "/.." syntax is detected in a certain method, the preceding path containing this syntax is removed. However, subsequent access controls for .cfm or .cfc files were not implemented, allowing access to restricted cfc or cfm endpoints using this patch bypass.

Similar to CVE-2023-29298, this vulnerability can lead to the leakage of sensitive information or the compromise of Admin accounts through brute-force attacks. It can also be exploited in conjunction with CVE-2023-26360.

3.Response Measures :

Adobe has released patches for these vulnerabilities, so addressing them is possible by updating to Adobe ColdFusion 2018 version 17 or higher, and Adobe ColdFusion 2021 version 7 or higher.

In our AIWAF product, we detect attack syntaxes exploiting CVE-2023-26360 and CVE-2023-26361 using patterns named "Adobe ColdFusion Deserialization RCE" and "COLDFUSION Credential Disclosure," respectively. Additionally, CVE-2023-38205 is detected through the "Directory Access Detection" policy.

For CVE-2023-29298, attack syntaxes associated with CVE-2023-26360 are currently detected by the aforementioned patterns. However, additional analysis and pattern development are underway for attacks aimed solely at bypassing access control.

4.Conclusion :

Vulnerabilities discovered in Adobe ColdFusion, while having simple conditions, pose significant risks with a maximum CVSS score of 9.6. It is imperative to update to the latest version to mitigate these vulnerabilities.

Our AIWAF product actively develops patterns to address vulnerabilities in Adobe ColdFusion and will continue to promptly respond to any newly discovered vulnerabilities related to Adobe ColdFusion in the future.