Analytics Story: Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
Description
In July 2023, a significant vulnerability, CVE-2023-29298, affecting Adobe ColdFusion was uncovered by Rapid7, shedding light on an access control bypass mechanism. This vulnerability allows attackers to access sensitive ColdFusion Administrator endpoints by exploiting a flaw in the URL path validation. Disturbingly, this flaw can be chained with another critical vulnerability, CVE-2023-26360, which has been actively exploited. The latter enables unauthorized arbitrary code execution and file reading. Adobe has promptly addressed these vulnerabilities, but the intricacies and potential ramifications of their combination underscore the importance of immediate action by organizations. With active exploitation in the wild and the ability to bypass established security measures, the situation is alarming. Organizations are urged to apply the updates provided by Adobe immediately, considering the active threat landscape and the severe implications of these chained vulnerabilities.
Why it matters
Adobe ColdFusion, a prominent application server, has been thrust into the cybersecurity spotlight due to two intertwined vulnerabilities. The first, CVE-2023-29298, identified by Rapid7 in July 2023, pertains to an access control bypass in ColdFusion's security mechanisms. This flaw allows attackers to access protected ColdFusion Administrator endpoints simply by manipulating the URL path, specifically by inserting an additional forward slash. Compounding the threat is the revelation that CVE-2023-29298 can be chained with CVE-2023-26360, another severe ColdFusion vulnerability. This latter vulnerability, which has seen active exploitation, permits unauthorized attackers to execute arbitrary code or read arbitrary files on the affected system. In practice, an attacker could exploit the access control bypass to access sensitive ColdFusion endpoints and subsequently exploit the arbitrary code execution vulnerability, broadening their control and access over the targeted system. The consequences of these vulnerabilities are manifold. Attackers can potentially login to the ColdFusion Administrator with known credentials, bruteforce their way in, leak sensitive information, or exploit other vulnerabilities in the exposed CFM and CFC files. This combination of vulnerabilities significantly heightens the risk profile for organizations using the affected versions of Adobe ColdFusion. Addressing the urgency, Adobe released fixes for these vulnerabilities in July 2023, urging organizations to update to ColdFusion 2023 GA build, ColdFusion 2021 Update 7, and ColdFusion 2018 Update 17. However, Rapid7's disclosure highlights a potential incomplete fix, suggesting that organizations should remain vigilant and proactive in their security measures. In conclusion, the discovery of these vulnerabilities and their potential to be exploited in tandem presents a significant security challenge. Organizations using Adobe ColdFusion must prioritize the application of security updates, monitor their systems closely for signs of intrusion, and remain updated on any further developments related to these vulnerabilities.
Detections
Name | Technique | Type |
---|---|---|
Adobe ColdFusion Access Control Bypass | Exploit Public-Facing Application | TTP |
Adobe ColdFusion Unauthenticated Arbitrary File Read | Exploit Public-Facing Application | TTP |
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
Suricata | N/A | suricata |
suricata |
References
- https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
- https://twitter.com/stephenfewer/status/1678881017526886400?s=20
- https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/
Source: GitHub | Version: 1