A remote code execution vulnerability in the Adobe ColdFusion was recently patched, but is still being exploited in the wild because patch was not applied.
PUBLISH DATE: 12-NOV-2018
Adobe ColdFusion vulnerability is being exploited by attackers worldwide, despite the release of a patch two weeks earlier. It’s a critical vulnerability allowing for unrestricted file upload, that may lead to arbitrary code execution. Servers not applying timely patches have been compromised.
A vulnerability in the Adobe ColdFusion is actively being exploited to compromise unpatched servers, even though public details or proof-of-concept code has not been released.
Researchers say that a Chinese APT group directly exploited the issue by uploading a China Chopper web-shell. The only update that the target server was missing addressed this Adobe ColdFusion unrestricted file upload vulnerability, which makes them consider this flaw as the one exploited.
Earlier in September, Adobe released updates fixing multiple vulnerabilities including an unauthenticated file upload vulnerability. Modern versions of ColdFusion include the WYSIWYG rich text editor CKEditor. In previous version of ColdFusion, Adobe packaged the older WYSIWYG editor, FCKeditor. It appears that when Adobe decided to replace FCKeditor with CKEditor, they inadvertently introduced an unauthenticated file upload vulnerability.
The vulnerability is easily exploited through a simple HTTP POST request to the file upload.cfm, which is not restricted and does not require any authentication.
The group uploaded the JSP version of China Chopper and executed commands on the impacted web server. While ColdFusion attempts to restrict the file types with following extensions, it fails to restrict files with .jsp file extension in the default configuration.
<cfset settings.disfiles = “cfc,exe,php,asp,cfm,cfml”>
A directory modification issue through the ‘path-form’ variable also exists that allowed them to change the directory to where uploaded files would be placed. As a result, putting .jsp on the blocklist won’t solve the issue as the attackers could still place another script or executable file somewhere on the system.
In the update and a security bulletin, Adobe included the .jsp file extension in the block list and also addressed the path modification issue.
Large number of sites showed signs of attempted webshell uploads or had HTML files designed to show they had been defaced.
ColdFusion 11 (Update 14 and earlier)
ColdFusion 2016 (Update 6 and earlier)
ColdFusion 2018 (July 12 release)
It is recommended that all products should be updated to the latest supported versions as soon as possible. Enable the Automatically Check for Updates option. Set the frequency of check for updates option to ‘daily’.
Moreover, appropriate e-mail settings should be configured to ensure that responsible people are notified of updates whenever they are available.
Only approved IP addresses should be allowed to access ColdFusion using Administrator accounts (typically accessible via /CFIDE/administrator).