Highlighted

ColdFusion zero day exploit?

LEGEND ,
Feb 13, 2019

Copy link to clipboard

Copied

(Raises hand)

Can anyone, here, tell me about the most recently discovered CF zero day exploit?

I'm not an admin, but I've been coding CF since late 2000 and am curious about what is known about this most recent exploit.

V/r,

^ _ ^

Views

551

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

ColdFusion zero day exploit?

LEGEND ,
Feb 13, 2019

Copy link to clipboard

Copied

(Raises hand)

Can anyone, here, tell me about the most recently discovered CF zero day exploit?

I'm not an admin, but I've been coding CF since late 2000 and am curious about what is known about this most recent exploit.

V/r,

^ _ ^

Views

552

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Feb 13, 2019 0
Adobe Community Professional ,
Feb 13, 2019

Copy link to clipboard

Copied

I don't really follow CF exploits that closely, but the last one I remember is one that allows file uploading through CKEditor. Rich-text editors are just generally more likely to be vulnerable to all sorts of stuff because of the complexity of what they do. My recommendation would just be to keep untrusted users away from being able to even access rich-text editors. This is done through network access controls and user authentication/authorization.

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 13, 2019 0
LEGEND ,
Feb 13, 2019

Copy link to clipboard

Copied

Hi, Dave,

We already strip out all HTML in any user input forms we have.  But I heard that a new zero day exploit in CF was announced, this morning, and I'm trying to learn about it.

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 13, 2019 0
Adobe Community Professional ,
Feb 13, 2019

Copy link to clipboard

Copied

Well, stripping out HTML from user input might not be enough if a malicious user can upload a file via MIME, and again a lot of the CF vulnerabilities I've seen have actually been CKEditor vulnerabilities. But taking a look at the Adobe security bulletin, it tells me there are four CVE numbers for arbitrary code execution due to deserialization of untrusted data, and that could come from any incoming request I suspect. That's always a bad thing. There are also CVE numbers for arbitrary code execution via unrestricted file upload (like I described with CKEditor but I suppose it could be something else) and arbitrary file overwrite via "use of a component with a known vulnerability". Those are all critical vulnerabilities, but there are a couple more important and moderate vulnerabilities there as well.

Each of these has a CVE number, and you can look them up in the CVE database:

CVE -Common Vulnerabilities and Exposures (CVE)

From there, there are typically links to other sites to tell you more about the specific vulnerability in question. That said, they don't usually give you a sample exploit or anything like that, they just describe the problem in more detail sometimes.

It looks like a lot of them may require an update to the JVM, so perhaps some of the vulnerabilities are themselves in the older JVMs.

Finally, in a properly configured environment, you may find that these vulnerabilities don't affect you. The best way to get to that properly configured environment generally is to follow the lockdown guides from Adobe. The auto-lockdown feature in CF 2018 has had some problems, so you might not want to go that way, but you'll find that most of the lockdown information in the previous guide for CF 2016 is still useful.

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 13, 2019 1
LEGEND ,
Feb 14, 2019

Copy link to clipboard

Copied

Thanks for all the info, Dave.  I'm checking the link as soon as I'm done with this reply.

Working for USG DoD, not only do we follow the lockdown guide, we take it further.  Stripping out HTML is just one step.  We do not have any forms that allow file upload on public-facing pages, period.  And there are other things I'm not allowed to discuss.

Anyhoo.. I'm off to check that CVE database.  Thank you, again, for that link.


V/r,

^ _ ^

UPDATE:  Also, we do NOT use CKEditor or any other RTF enabled form fields.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 14, 2019 0
Adobe Community Professional ,
Feb 14, 2019

Copy link to clipboard

Copied

One thing I'd recommend is to use a reverse proxy environment. I recommend this all the time but no one listens. This doesn't make things completely secure - that is impossible - but it significantly improves security at a fairly minimal cost of complexity and effort.

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 14, 2019 0
Enthusiast ,
Feb 14, 2019

Copy link to clipboard

Copied

Are you talking about this: Adobe Security Bulletin APSB19-10 ?

If so that is not technically a zero-day unless it was being exploited before the patch was released, I didn't hear that was the case, but maybe you heard something I didn't.

I found one of those vulnerabilities in the hotfix, so I do know the details of it, but I don't usually post details publicly (even when patches exist). Feel free to email me, my first name (4 letters) at foundeo.com

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 14, 2019 0
LEGEND ,
Feb 14, 2019

Copy link to clipboard

Copied

I cannot say with authority as to what specific vulnerability, but the tech who mentioned it to me, yesterday, did mention something about deserialization, so the link you provided could be it.  Thank you for the link.  I'll cross-reference those CVE numbers to the database link that Dave provided and get the details on them.

Thanks for the link.

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 14, 2019 0
LEGEND ,
Feb 14, 2019

Copy link to clipboard

Copied

Well.. how do you like that?    The CVE database hasn't been updated, yet.  Those numbers still show as RESERVED.

SMH

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Feb 14, 2019 0