Exploit Chain Actively Exploits ColdFusion

Warning: Hackers are actively exploiting a flaw in Adobe’s ColdFusion rapid web application development platform to execute malicious code, researchers warn. While Adobe attempted to patch the flaw, attackers appear to have found a way to chain together multiple flaws to continue exploiting the vulnerability.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

Security firm Rapid7 warns that it’s seen multiple cases of attackers exploiting this chain of vulnerabilities, enabling attackers to bypass security controls in ColdFusion and create a webshell.

One of the targeted vulnerabilities, designated CVE-2023-29298, is a critical flaw, meaning it can be used by attackers to run arbitrary code on a targeted system. “An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints,” referring to two different types of ColdFusion components, which allow developers to use object-oriented programming techniques in the web pages they generate,” according to the National Vulnerability Database. “Exploitation of this issue does not require user interaction.”

Adobe ostensibly patched the flaw on July 11 via a set of updates for ColdFusion versions 2018, 2021 and 2023.

The same patches also attempted to fix an “important” flaw allowing for improper restriction of excessive authentication attempts, designated CVE-2023-29301, and a critical deserialization of untrusted data flaw, designated CVE-2023-29300.

Rapid7’s managed detection and response team says that, based on in-the-wild attacks it’s been tracking, Adobe’s patch for CVE-2023-29298 failed to prevent the vulnerability from being exploited in conjunction with a second vulnerability, which appears to be a deserialization of untrusted data flaw, designated CVE-2023-38203. Adobe patched this bug via out-of-band ColdFusion updates released Friday.

Details for how to exploit CVE-2023-38203 appear to have been contained in a now-deleted blog post published by security researcher Harsh Jaiswal at open source cybersecurity firm Project Discovery, which reported the CVE-2023-29300 flaw to Adobe.

Project Discovery published its blog Wednesday, one day after Adobe issued a patch designed to prevent CVE-2023-29300 from being exploited. While details of a vulnerability that’s being actively exploited remain unknown, such attacks get described as zero-day exploits. Once details of a vulnerability are known, researchers refer to such attacks as an n-day exploit.

Worked on this Adobe Coldfusion RCE with @iamnoooob. Diving into java codebases always leave us with a lot of learning. https://t.co/k46ztAoReB— Harsh Jaiswal (@rootxharsh) July 13, 2023

Rapid7 says the Project Discovery team – and by extension likely Adobe – didn’t realize that what they’d detailed in their blog post was a zero-day exploit.

“It’s highly likely that Project Discovery thought they were publishing an n-day exploit for CVE-2023-29300 in their July 12 blog post,” Rapid7 says. “Adobe published a fix for CVE-2023-29300, which is a deserialization vulnerability that allows for arbitrary code execution, on July 11. In actuality, what Project Discovery had detailed was a new zero-day exploit chain.”

Adobe attempted to fix this zero-day exploit chain in a July 14 ColdFusion update.

Rapid7 says Adobe’s update to address CVE-2023-29298 didn’t fix the problem, and that “a trivially modified exploit still works against the latest version of ColdFusion – released July 14.” That said, the July 14 patch does appear to block the second part of the exploit chain – CVE-2023-29300. Hence they recommend all ColdFusion users immediately install the July 14 release to keep them protected until Adobe issues more fixes.

“There is currently no mitigation for CVE-2023-29298, but the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability for full execution on target systems,” Rapid7 says. “Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing.”