Update 7/17/23: The article was updated due to a mistaken warning added by Adobe to its email notification. However, a newer version of the bug was seen by Rapid7 to be actively exploited.
Hackers are actively exploiting two ColdFusion vulnerabilities to bypass authentication and remotely execute commands to install webshells on vulnerable servers.
The active exploitation was seen by researchers at Rapid7, which says threat actors are chaining together exploits for an access control bypass vulnerability (CVE-2023-29298) and what appears to be CVE-2023-38203, a critical remote code execution vulnerability.
On July 11th, Adobe disclosed a ColdFusion authentication bypass tracked as CVE-2023-29298, discovered by Rapid7 researchers Stephen Fewer, and a pre-auth RCE vulnerability tracked as CVE-2023-29300, discovered by CrowdStrike researcher Nicolas Zilio.
CVE-2023-29300 is a deserialization vulnerability rated as critical with a 9.8 severity rating, as it can be used by unauthenticated visitors to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers in low-complexity attacks.
While the vulnerability was not exploited then, a recently-removed technical blog post by Project Discovery was published on July 12th that contains a proof-of-concept exploit for CVE-2023-29300.
According to Project Discovery’s now-removed blog post, the vulnerability stems from insecure deserialization in the WDDX library.
“In conclusion, our analysis revealed a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021 (Update 6),” explains the Project Discovery blog post.
“By exploiting this vulnerability, we were able to achieve remote code execution. The issue stemmed from a unsafe use of Java Reflection API that allowed the invocation of certain methods.”
Rapid7 says that Adobe fixed this vulnerability by adding a deny list for the Web Distributed Data eXchange (WDDX) library to prevent the creation of malicious gadget chains.
“Adobe is likely unable to remove this WDDX functionality completely, as that would break all the things that rely on it, so instead of prohibiting deserialization of WDDX data, they implement a denylist of Java class paths that cannot be deserialized (so an attacker cannot specify a deserialization gadget located in these class paths),” explains a report by Rapid7.
On July 14th, Adobe released an out-of-band security update for CVE-2023-38203, which Project Discovery discovered.
Rapid7 believes this vulnerability bypasses the CVE-2023-29300 flaw, with the researchers finding a usable gadget chain to achieve remote code execution.
Adobe’s OOB security update once again updates the deny list to prevent a gadget through the ‘com.sun.rowset. JdbcRowSetImpl’ class, which was the class used in Project Discover’s PoC exploit.
Unfortunately, while that vulnerability appears to be fixed, Rapid7 says that they discovered today that the fix for their CVE-2023-29298 flaw can still be bypassed, so we should expect another patch by Adobe soon,
Exploited in attacks
Adobe recommends that admins’ lockdown‘ ColdFusion installations to increase security and offer better defense against attacks.
However, the Project Discovery researchers warned that CVE-2023-29300 (and likely CVE-2023-38203) could be chained with CVE-2023-29298 to bypass lockdown mode.
“To exploit this vulnerability, typically, access to a valid CFC endpoint is necessary. However, if the default pre-auth CFC endpoints cannot be accessed directly due to ColdFusion lockdown mode, it is possible to combine this vulnerability with CVE-2023-29298,” concludes Project Discovery’s technical writeup.
“This combination enables remote code execution against a vulnerable ColdFusion instance, even when it is configured in locked-down mode.”
Today, Rapid7 says that they began seeing attackers chain exploits for the CVE-2023-29298 flaw and what appears to be the exploit demonstrated in Project Discovery’s writeup on July 13th, a day after the technical writeup was published.
The attackers use these exploits to bypass security and install webshells on vulnerable ColdFusion servers to gain remote access to devices.
These webshells have been seen in the following folder:
While Rapid7 says there is currently no patch to fix CVE-2023-29298 fully, the exploit requires a second vulnerability, such as CVE-2023-38203. Therefore, installing the latest ColdFusion version will prevent the exploit chain.
“Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing,” advises Rapid7.
Due to its exploitation in attacks, admins are strongly advised to upgrade ColdFusion to the latest version to patch the flaw as soon as possible.
7/17/23: Article updated with information from Rapid7 and Adobe stating they mistakenly warned that CVE-2023-29300 was exploited.