Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2018-15443 – Cisco Firepower Detection Engine TCP Intrusion Prevention System Rule Bypass Vulnerability
November 9, 2018Rewterz Threat Advisory – Microsoft Windows Server 2012 / Windows RT 8.1 / 8.1 Multiple Vulnerabilities
November 14, 2018
A remote code execution vulnerability in the Adobe ColdFusion was recently patched, but is still being exploited in the wild because patch was not applied.
IMPACT: CRITICAL
PUBLISH DATE: 12-NOV-2018
OVERVIEW
Adobe ColdFusion vulnerability is being exploited by attackers worldwide, despite the release of a patch two weeks earlier. It’s a critical vulnerability allowing for unrestricted file upload, that may lead to arbitrary code execution. Servers not applying timely patches have been compromised.
ANALYSIS
A vulnerability in the Adobe ColdFusion is actively being exploited to compromise unpatched servers, even though public details or proof-of-concept code has not been released.
Researchers say that a Chinese APT group directly exploited the issue by uploading a China Chopper web-shell. The only update that the target server was missing addressed this Adobe ColdFusion unrestricted file upload vulnerability, which makes them consider this flaw as the one exploited.
Earlier in September, Adobe released updates fixing multiple vulnerabilities including an unauthenticated file upload vulnerability. Modern versions of ColdFusion include the WYSIWYG rich text editor CKEditor. In previous version of ColdFusion, Adobe packaged the older WYSIWYG editor, FCKeditor. It appears that when Adobe decided to replace FCKeditor with CKEditor, they inadvertently introduced an unauthenticated file upload vulnerability.
The vulnerability is easily exploited through a simple HTTP POST request to the file upload.cfm, which is not restricted and does not require any authentication.
The group uploaded the JSP version of China Chopper and executed commands on the impacted web server. While ColdFusion attempts to restrict the file types with following extensions, it fails to restrict files with .jsp file extension in the default configuration.
<cfset settings.disfiles = “cfc,exe,php,asp,cfm,cfml”>
A directory modification issue through the ‘path-form’ variable also exists that allowed them to change the directory to where uploaded files would be placed. As a result, putting .jsp on the blocklist won’t solve the issue as the attackers could still place another script or executable file somewhere on the system.
In the update and a security bulletin, Adobe included the .jsp file extension in the block list and also addressed the path modification issue.
Large number of sites showed signs of attempted webshell uploads or had HTML files designed to show they had been defaced.
AFFECTED PRODUCTS
ColdFusion 11 (Update 14 and earlier)
ColdFusion 2016 (Update 6 and earlier)
ColdFusion 2018 (July 12 release)
RECOMMENDATIONS
It is recommended that all products should be updated to the latest supported versions as soon as possible. Enable the Automatically Check for Updates option. Set the frequency of check for updates option to ‘daily’.
Moreover, appropriate e-mail settings should be configured to ensure that responsible people are notified of updates whenever they are available.
Only approved IP addresses should be allowed to access ColdFusion using Administrator accounts (typically accessible via /CFIDE/administrator).