At least one improperly configured Windows service may have a privilege escalation vulnerability.

Forum|Forum|2 years ago
May 19, 2023
4 replies
1581 views

How do you remediate the below issue after a Tenable scan reports the below

Plugin Output:
Path : c:\coldfusion2018\cfusion\bin\coldfusionsvc.exe
Used by services : ColdFusion 2018 Application Server
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swagent.exe
Used by services : ColdFusion 2018 ODBC Agent
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swstrtr.exe
Used by services : ColdFusion 2018 ODBC Server
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\jetty\jetty.exe
Used by services : ColdFusion2018Add-onServices
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\jnbridge\cfdotnetsvc.exe
Used by services : ColdFusion 2018 .NET Service
File write allowed for groups : Authenticated Users (S-1-5-11)

This topic has been closed for replies.

J

Josh28586295ez4u

Participating Frequently

Based on the Tenable scan report you provided, it appears that the ColdFusion 2018 application server and its associated components have file write permissions allowed for the "Authenticated Users" group (S-1-5-11). This could potentially pose a security risk as it allows any authenticated user on the system to modify these files.

D

Dave Watts

Community Expert

The "Authenticated Users" group is a dynamic one, consisting of any user who's successfully authenticated. You can restrict these directories to the CF user account and an administrator.

Dave Watts, Eidolon LLC

Charlie Arehart

Community Expert

Hey, Dave. In your experience, does that message they showed add that number--in their case, (S-1-5-11)--when displaying it, and when indeed its the only group of that name (authenticated users) on that system?

I'd thought I'd seen that number added when it was not, but I could be confusing matters.

Anyway, let's all see what the op may offer. We 3 musketeers have given them plenty to consider. 🙂

Also, Dave, please see a direct message I'd sent within here a couple of days ago. (I often miss them, myself.)

/Charlie (troubleshooter, carehart. org)

D

Dave Watts

Community Expert

I do know that's the RID (relative identifier) for the "Authenticated Users" group and is used as part of the Windows SID for that group. It's not really a new thing, but because membership is contextual so to speak, most people don't think too much about it. It's a great convenience compared to the Everyone Group or any of the other groups with fixed membership. I don't know which versions of Windows show the SID along with the name of the group or user.

https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids

Also, I did see the DM and got in touch with the person. Thanks!

Dave Watts, Eidolon LLC

BKBK

Community Expert

Strange. I suspect that something was changed in your ColdFusion 2018 installation.

I say this because, when ColdFusion is installed, the files in the following directories are Read-Only by default:

c:\coldfusion2018\cfusion\bin
c:\coldfusion2018\cfusion\db\slserver54\bin
c:\coldfusion2018\cfusion\jetty
c:\coldfusion2018\cfusion\jnbridge

Take the first directory, for example. If you navigate to c:\coldfusion2018\cfusion\, right-click on bin and select Properties, you should see something like:

Charlie Arehart

Community Expert

You'd want to identify the group (S-1-5-11) and its users, and decide whether to remove its permissions from that folder--or remove the group if it's some old unneeded one (the name seems unusual).

The only user that needs write access to that folder is the user running the cf odbc services (viewable in the Windows Services panel), which by default is the System account (and which has write permission by default).

/Charlie (troubleshooter, carehart. org)