Adobe has fixed critical code execution vulnerabilities in ColdFusion, and Rapid7 warn that hackers have already attacked these issues.
Last week, Adobe reported a ColdFusion authentication bypass issue (CVE-2023-29298) discovered by Rapid7 and a pre-auth remote code execution vulnerability (CVE-2023-29300) discovered by CrowdStrike researchers.
Critical vulnerability CVE-2023-29300 is related to deserialization (9.8 points on the CVSS scale) and can be used by unauthorized visitors to remotely execute commands on vulnerable Coldfusion 2018, 2021 and 2023 servers.
Let me remind you that we also wrote that Adobe developers fixed critical vulnerabilities in Magento, Adobe Illustrator and Bridge, and also that Adobe users suffer from malicious ads on porn sites.
By the way, information security specialists wrote that most often viruses bypass protection in Skype, Adobe Acrobat and VLC.
Although at the time of the release of the patch, the vulnerability had not yet been exploited by attackers, on July 12, an entry containing an exploit for CVE-2023-29300 was published on the Project Discovery blog. This post has now been deleted.
According to Project Discovery experts, the vulnerability is related to insecure deserialization in the WDDX library (WDDX in Adobe ColdFusion 2021 (Update 6).
According to Rapid7 analysts, Adobe fixed this vulnerability by adding a Deny List to the Web Distributed Data eXchange (WDDX) library to prevent the creation of malicious gadget chains. Moreover, the researchers noted that Adobe cannot completely remove this functionality of WDDX, “as this would lead to the breakdown of everything that relies on it.” Therefore, instead of completely denying deserialization, a denylist was used for Java class paths that cannot be deserialized.
In addition, on July 14, Adobe released an extraordinary patch for another vulnerability, CVE-2023-38203, which was also discovered in Project Discovery. According to Rapid7 researchers, this vulnerability helps exploit CVE-2023-29300 and achieve remote code execution.
Unfortunately, despite the release of the patch, the fix for CVE-2023-29298 can still be bypassed, so Rapid7 analysts expect another fix from Adobe to appear soon.
For now, Adobe recommends that administrators “lock down” ColdFusion installations to increase security and better protect against attacks. However, Project Discovery warns that CVE-2023-29300 (and likely CVE-2023-38203) can be used in conjunction with CVE-2023-29298 to bypass this block.
Worse, according to Rapid7, attackers are already using exploit chains, combining the use of CVE-2023-29298 with an exploit from the Project Discovery report.
Hackers use these exploits to bypass security, install web shells on vulnerable ColdFusion servers, and gain remote access to devices. These web shells can usually be found in the folder: .\ColdFusion11\cfusion\wwwroot\CFIDE\ckeditr.cfm.
Although Rapid7 explains that there is currently no patch available to fully fix CVE-2023-29298, a second vulnerability, such as CVE-2023-38203, is still required to exploit the problem. Therefore, installing the latest version of ColdFusion that fixes CVE-2023-38203 should be enough to protect you.
Since the hackers have already begun their attacks, administrators are strongly advised to update ColdFusion to the latest version as soon as possible.
