Security Alert: Exploit Chain Actively Hits ColdFusionAttackers Drop Web Shell; Flaw Is Not Fixed, But Latest Patch Offers Protection
Warning: Hackers are actively exploiting a flaw in Adobe's ColdFusion rapid web application development platform to execute malicious code, researchers warned. While Adobe attempted to patch the flaw, attackers appear to have found a way to chain together multiple flaws to continue exploiting the vulnerability.
Security firm Rapid7 warned that it has seen multiple cases of attackers exploiting this chain of vulnerabilities, enabling them to bypass security controls in ColdFusion and create a web shell.
One of the targeted vulnerabilities, designated CVE-2023-29298, is a critical flaw, meaning it can be used by attackers to run arbitrary code on a targeted system. "An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints," referring to two different types of ColdFusion components, which allow developers to use object-oriented programming techniques in the web pages they generate," according to the National Vulnerability Database. "Exploitation of this issue does not require user interaction."
Adobe ostensibly patched the flaw on July 11 via a set of updates for ColdFusion versions 2018, 2021 and 2023.
The same patches also attempted to fix a flaw Adobe classified as important, which allows for improper restriction of excessive authentication attempts, designated CVE-2023-29301, and a critical deserialization of untrusted data flaw, designated CVE-2023-29300.
Rapid7's managed detection and response team says that, based on in-the-wild attacks it has been tracking, Adobe's patch for CVE-2023-29298 failed to prevent the vulnerability from being exploited in conjunction with a second vulnerability, which appears to be a deserialization of untrusted data flaw, designated CVE-2023-38203. Adobe patched this bug via out-of-band ColdFusion updates released Friday.
Details for how to exploit CVE-2023-38203 appear to have been contained in a now-deleted blog post published by security researcher Harsh Jaiswal at open-source cybersecurity firm Project Discovery, which reported the CVE-2023-29300 flaw to Adobe.
Project Discovery published its blog Wednesday, one day after Adobe had issued a patch designed to prevent CVE-2023-29300 from being exploited. While details of a vulnerability that's being actively exploited remain unknown, such attacks are described as zero-day exploits. Once details of a vulnerability are known, researchers refer to such attacks as an n-day exploit.
Rapid7 said the Project Discovery team - and by extension likely Adobe - didn't realize that what they had detailed in their blog post was a zero-day exploit.
"It's highly likely that Project Discovery thought they were publishing an n-day exploit for CVE-2023-29300 in their July 12 blog post," Rapid7 says. "Adobe published a fix for CVE-2023-29300, which is a deserialization vulnerability that allows for arbitrary code execution, on July 11. In actuality, what Project Discovery had detailed was a new zero-day exploit chain."
Adobe attempted to fix this zero-day exploit chain in a ColdFusion update on Friday.
Rapid7 said Adobe's update to address CVE-2023-29298 didn't fix the problem and that "a trivially modified exploit still works against the latest version of ColdFusion - released July 14." That said, the Friday patch does appear to block the second part of the exploit chain - CVE-2023-29300. Hence they recommend that all ColdFusion users immediately install the July 14 release to keep them protected until Adobe issues more fixes.
"There is currently no mitigation for CVE-2023-29298, but the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability for full execution on target systems," Rapid7 says. "Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing."
Adobe said it is preparing a fresh fix. "We are aware of the bypass reports and are currently developing a more comprehensive resolution," a spokeswoman told Information Security Media Group. "Our team will release an update as soon as it is available."