Critical Adobe ColdFusion vulnerability

What is the threat?

CVE-2023-29300 is a deserialization vulnerability rated as critical with a 9.8 severity rating, as it can be used by the threat actors to remotely execute commands on vulnerable ColdFusion 2018, 2021, and 2023 servers. It is considered a low-complexity attack. Attackers can bypass access control in ColdFusion which can lead to remote code execution. The use of specifically crafted POST requests with encoded PowerShell commands allows a threat actor to create a web shell to gain access to an endpoint.

Details of the critical vulnerabilities are listed below:

Tactic: Execution (TA0002):
Technique: Exploitation for Client Execution (T1203):

Adobe InDesign

Out-of-bounds Write which could allow for arbitrary code execution. (CVE-2023-29308)
Out-of-bounds Read which could allow for a memory leak. (CVE-2023-29309, CVE-2023-29310, CVE-2023-29311, CVE-2023-29312, CVE-2023-29313, CVE-2023-29314, CVE-2023-29315, CVE-2023-29316, CVE-2023-29317, CVE-2023-29318, CVE-2023-29319)

Why is it noteworthy?

The exploitation of this vulnerability can lead to further compromise. Attackers can use the web shell installed via this vulnerability to establish a command and control (C2) which can facilitate future attacks in the network. The exploitation of this vulnerability has already been observed in the wild.

What is the exposure or risk?

Upon a successful exploitation, threat actors can remotely execute commands on endpoints which have Adobe ColdFusion 2018, 2021, or 2023. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users configured with fewer user rights could be less impacted than those who operate on the system with administrative user rights. Improper restriction of excessive authentication attempts could allow for security feature bypass. The most serious issue is a deserialization of untrusted data.

What are the recommendations?

Barracuda MSP recommends the following actions to limit the impact:

Apply software update provided by Adobe to vulnerable systems immediately.
Establish and maintain a vulnerability management process.
Perform automated application patch management on enterprise assets on a monthly, or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis.
Apply the principle of Least Privilege to all systems and services.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include disabling default accounts or making them unusable.
Restrict Administrator Privileges to Dedicated Administrator Accounts.
Enable anti-exploitation features on enterprise assets.
Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
Establish and maintain a security awareness program. Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.

Categories

Tags

Archives