In a joint effort, Adobe and the vendor have recently patched multiple vulnerabilities in ColdFusion, a widely used commercial rapid web application development platform. Among the vulnerabilities addressed, CVE-2023-29298 is noteworthy, as hackers are actively exploiting it to carry out unauthorized activities. These activities include bypassing authentication, remotely executing commands, and installing webshells on vulnerable servers.
According to Rapid7, a cybersecurity firm, evidence of Adobe ColdFusion exploitation was detected on July 13. Threat actors took advantage of two vulnerabilities, namely CVE-2023-29298 and another undisclosed vulnerability labeled as CVE-2023-38203. This discovery raises concerns about the security of ColdFusion deployments, as hackers are actively exploiting these vulnerabilities.
The situation was further complicated when Project Discovery, a security research group, inadvertently disclosed an n-day exploit related to CVE-2023-29300. However, Adobe swiftly released an out-of-band update on July 14 to address this issue. The patch for CVE-2023-29300 specifically tackles class deserialization in ColdFusion’s WDDX data, thereby preventing gadget-based attacks without disrupting existing dependencies. Project Discovery also inadvertently found a new zero-day flaw, leading to the release of an out-of-band patch by Adobe on July 14. This patch denies the classpath and effectively blocks the exploit.
Despite Adobe’s efforts to address the vulnerabilities, Rapid7 researchers have found that the patch for CVE-2023-29298 is incomplete, allowing an altered version of the exploit to still work in the latest ColdFusion version. While there is currently no mitigation for this issue, updating to the newest version that fixes CVE-2023-38203 can help prevent observed attacker behavior.
The vulnerabilities affect several versions of ColdFusion. The vulnerable versions include Adobe ColdFusion 2023 Update 1, Adobe ColdFusion 2021 Update 7 and earlier, and Adobe ColdFusion 2018 Update 17 and earlier. On the other hand, the patched versions are Adobe ColdFusion 2023 Update 2, Adobe ColdFusion 2021 Update 8, and Adobe ColdFusion 2018 Update 18. Although these patched versions address CVE-2023-38203, they remain vulnerable to CVE-2023-29298.
Rapid7 researchers have also identified several POST requests in Internet Information Services (IIS) logs that exploit these vulnerabilities. These requests were all sent to a specific location, “accessmanager.cfc,” indicating the potential widespread exploitation of the vulnerabilities.
In terms of detection, several rules have been established to identify potential attacks using these vulnerabilities. The detection rules encompass webshells, attacker techniques, attacker tools, PowerShell usage, and suspicious processes. Implementing these rules can enhance the ability to identify and respond to attacks effectively.
To mitigate the risks associated with these vulnerabilities, cybersecurity analysts strongly recommend that all users of Adobe ColdFusion promptly update their software to the latest version available. Additionally, blocking the oastify[.]com domain is advised. Adobe’s advisory on July 14 suggests using the serialfilter.txt file in the
It is also important to note the indicators of compromise (IOCs) associated with these exploits. The listed IP addresses, namely 62.233.50[.]13, 5.182.36[.]4, and 195.58.48[.]155, are known to be associated with malicious activities. Furthermore, the domains oastify[.]com and ckeditr[.]cfm (SHA256 08D2D815FF070B13A9F3B670B2132989C349623DB2DE154CE43989BB4BBB2FB1) have been linked to these vulnerabilities.
As cyber threats continue to evolve, staying vigilant and promptly addressing vulnerabilities like the ones found in ColdFusion are crucial for maintaining a secure digital environment. By applying the necessary patches and implementing recommended mitigation strategies, organizations can safeguard their systems from potential attacks.