The latest cybersecurity threat advisory highlights vulnerabilities affecting Adobe ColdFusion versions 2018, 2021, and 2023, which are actively being exploited by threat actors in the wild. A successful exploitation can lead to arbitrary code execution and security feature bypass. Barracuda MSP recommends upgrading ColdFusion to the latest version.
What is the threat?
CVE-2023-29300 is a deserialization vulnerability rated as critical with a 9.8 severity rating, as it can be used by the threat actors to remotely execute commands on vulnerable ColdFusion 2018, 2021, and 2023 servers. It is considered a low-complexity attack. Attackers can bypass access control in ColdFusion which can lead to remote code execution. The use of specifically crafted POST requests with encoded PowerShell commands allows a threat actor to create a web shell to gain access to an endpoint.
Details of the critical vulnerabilities are listed below:
Tactic: Execution (TA0002):
Technique: Exploitation for Client Execution (T1203):
- Out-of-bounds Write which could allow for arbitrary code execution. (CVE-2023-29308)
- Out-of-bounds Read which could allow for a memory leak. (CVE-2023-29309, CVE-2023-29310, CVE-2023-29311, CVE-2023-29312, CVE-2023-29313, CVE-2023-29314, CVE-2023-29315, CVE-2023-29316, CVE-2023-29317, CVE-2023-29318, CVE-2023-29319)
Why is it noteworthy?
The exploitation of this vulnerability can lead to further compromise. Attackers can use the web shell installed via this vulnerability to establish a command and control (C2) which can facilitate future attacks in the network. The exploitation of this vulnerability has already been observed in the wild.
What is the exposure or risk?
Upon a successful exploitation, threat actors can remotely execute commands on endpoints which have Adobe ColdFusion 2018, 2021, or 2023. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users configured with fewer user rights could be less impacted than those who operate on the system with administrative user rights. Improper restriction of excessive authentication attempts could allow for security feature bypass. The most serious issue is a deserialization of untrusted data.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact:
- Apply software update provided by Adobe to vulnerable systems immediately.
- Establish and maintain a vulnerability management process.
- Perform automated application patch management on enterprise assets on a monthly, or more frequent, basis.
- Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis.
- Apply the principle of Least Privilege to all systems and services.
- Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include disabling default accounts or making them unusable.
- Restrict Administrator Privileges to Dedicated Administrator Accounts.
- Enable anti-exploitation features on enterprise assets.
- Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Block unnecessary file types attempting to enter the enterprise’s email gateway.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Establish and maintain a security awareness program. Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.