ColdFusion ACE Vulnerabilities Exploited in Real-World Attacks

On January 8, CISA released their regular notice on new exploited vulnerabilities, specifying among others 2 security breaches in Adobe ColdFusion. Both of them are dated summer 2023, with the patches being available at around the same time. Nonetheless, the organization states about the exploitation, which is not doubtful considering the trends. And as both vulnerabilities score the CVSS rating of 9.8, the very fact of its usage in cyberattacks is concerning.

As I said in the introduction, both CVE-2023-29300 and CVE-2023-38203 are about the poor data validation upon deserialization that leads to the arbitrary code execution (ACE). Interestingly enough, both of them touch the same string versions of ColdFusion – 2018, 2021 and 2023. By sending a specifically crafted data package, targeted on the vulnerable ColdFusion server, adversaries can make the server execute the code they need. No user interaction is needed for this trick, which increases the severity of the vulnerability even more.

Arbitrary code execution vulnerabilities may serve as both initial access points and opportunities for lateral movement. The fact that this particular vulnerability works as is, without the need for user input, makes the exploitation just a piece of cake. And since ColdFusion is a rather popular app server solution, it is not hard to reach something important after compromising it, not to mention how easy it is to find a victim.

List of Affected ColdFusion Versions

Adobe ColdFusion Vulnerability Patches & Mitigation

Upon uncovering the vulnerabilities back in June 2023, Adobe released the updates^{1 2} which have these issues fixed. The company insisted on users to install these patches as soon as possible. And well, it cannot be a better moment to update than right now, after the official notification regarding the exploitation. Here is the list of ColdFusion versions that are no longer vulnerable to the said exploits:

At the same time, no workarounds or mitigations are available. This was expected though, as the nature of these vulnerabilities does not suppose the ability to fix it without the intrusion into the program code. In fact, there was over half a year of time to update, so applying any makeshift fixes now is irrational in any case.

Still, there is the ability to preventively protect the network from any kind of intrusion. By using Network Detection and Response (NDR) solutions, you make it much less likely that illicit traffic will reach your servers. By combining this with all-encompassing protective solutions, like Extended Detection and Response (XDR), you will receive a reliable shield against known threats, as well as ones that are only to be discovered.

The post Two Adobe ColdFusion Vulnerabilities Exploited in The Wild appeared first on Gridinsoft Blog.

ColdFusion Vulnerability Exploited to Infiltrate Federal Agency Servers

Recently, CISA has reported that Adobe’s ColdFusion – an application development tool, continues to pose a serious threat to organizations. Even though Adobe patched the CVE-2023-26360 vulnerability in March, CISA disclosed that two public-facing web servers at an undisclosed federal government agency were breached this summer.

The attackers exploited the CVE-2023-26360 vulnerability in the ColdFusion software, which enabled them to penetrate the systems. They deploy malware, including a remote access trojan (RAT), and access data through a web shell interface. The problem is that the affected servers ran outdated and vulnerable ColdFusion versions. Although Adobe released patches in March, only some users installed them. As a result, the lack of updates left an opening for intruders to gain initial access.

Fixed But Still Works

The CVE-2023-26360 flaw in ColdFusion allows arbitrary code execution without user action. Adobe released the patch that fixes the issue back in March 2023. However, as some users do not see the need to install this hotfix, threat actors have persistently exploited the vulnerability in unpatched systems. The flaw affects ColdFusion versions 2018 Update 15 and earlier, as well as 2021 Update five and earlier, including unsupported versions.

As for current incidents, they both occurred in June. In the first breach, hackers accessed the web server through a vulnerable IP address, exploiting the ColdFusion flaw. They attempted lateral movement, viewed information about user accounts, and executed reconnaissance. In addition, they dropped malicious artifacts, including a RAT that utilizes a JavaScript loader. Nevertheless, the attack was thwarted before successful data exfiltration.

In the second incident, the attackers checked the web server’s operating system and ColdFusion version, inserting malicious code to extract usernames, passwords, and data source URLs. Evidence suggests the activity amounted to network reconnaissance mapping rather than confirmed data theft. The malicious code hints at threat actors’ potential activities, leveraging the compromised credentials.

Nice try, but please try again later

According to experts, although the attackers managed to penetrate the target network, they could not do much damage. Actions encompassed reconnaissance, user account reviews, malware distribution, data exfiltration attempts, and code planting to extract credentials. Eight artifacts were left behind alongside a modified publicly available web shell for remote access.

While later quarantined, assets exposed included password information that could enable deeper network pivoting. However, no data thefts or system transitions were confirmed. It’s unclear whether one or multiple actors were responsible for the linked events. However, one thing is sure: despite vendors fixing vulnerabilities quickly, user’s negligence abuses malicious code without target interaction by even low-skilled actors.

Older Vulnerabilities Cause More and More Concerns

Aside from some extreme cases, software developers rarely ignore patching serious vulnerabilities. Large companies though are ones who definitely pay less attention than they should. And as we can see from this story, this is applicable even to government organizations. And this is what creates concerns.

As time goes on, hackers find more and more ways to exploit the same vulnerabilities. While some of them are getting patched by all parties or rendered ineffective, others remain actual and, what is worse, exploitable. After the initial discovery of a certain vulnerability, it is obvious to expect a boom in its exploitation. This comes especially true for programs that are generally used by large corporations – a category most of govt orgs fall into.

Leaving such vulnerabilities unpatched is effectively an invitation for a hacker to pay your network a visit. In a modern turbulent and uneven time, such decisions borderline recklessness, if not outright sabotage.

The post Federal Agency Hacked With ColdFusion Vulnerability appeared first on Gridinsoft Blog.

Citrix and Adobe Patch 0-day Vulnerabilities

Simultaneously, products of two companies were hit with critical vulnerabilities that allowed crooks the remote execution of malicious code. Citrix and Adobe are well known in the software market, so there’s no need to introduce them. The vulnerability in Citrix NetScaler has a CVSS of 9.8 out of 10, allowing for code execution without authentication. On July 18, Citrix said it had patched the vulnerabilities. However, attackers have likely had time to exploit them.

Adobe is doing a little worse in this regard. Adobe ColdFusion, a popular server-side scripting language, faces critical vulnerabilities. These vulnerabilities are noted as CVE-2023-38203 with a severity level of 9.8 out of 10 and CVE-2023-29298. This allows an unauthenticated attacker to execute arbitrary code on a vulnerable server. The company soon released a patch that was supposed to fix the vulnerabilities. However, the patch provided by Adobe for CVE-2023-29298 on July 11 is incomplete, which means that remedies against CVE-2023-29298 do not currently exist.

Moreover, experts discovered that the vulnerability that Adobe patched a few days earlier was actually CVE-2023-38203 and not CVE-2023-29300. The security company made a mistake by unintentionally releasing a critical zero-day vulnerability to users already dealing with the threat posed by the incomplete patch. Project Discovery quickly took down the disclosure post, and Adobe fixed the vulnerability two days later. By the way, the CVE-2023-29300 vulnerability also has a severity rating of 9.8.

Consequences

While estimating the potential damage from these vulnerabilities is impossible, it can be compared to the MOVEit and GoAnywhere vulnerabilities. The former resulted in 357 individual organizations being compromised, while the latter affected over 100 organizations. However, both organizations have since released patches. Meaning users can only hope the problem will be fixed soon.

How to protect against vulnerabilities?

Protecting against vulnerabilities involves adopting proactive cybersecurity measures and practices. Here are some steps you can take to enhance your security:

• Keep Software Updated. You should regularly update your operating system, applications, and antivirus software. Developers release updates to patch security vulnerabilities, so staying up-to-date is crucial.
• Use Strong Passwords. Strong passwords will help prevent compromise through brute force. In addition, consider using a password manager to store and manage your passwords securely.
• Enable Multi-Factor Authentication. Adding MFA (multi-factor authentication) provides an additional layer of security by requiring extra verification (like a code sent to your phone). It will be a different and insurmountable barrier to intruders.
• Use protection solutions. Powerful antivirus software is integral to complementing the above recommendations. In the event of an attempt to infect the system, it will neutralize the threat before it can cause harm.
• Keep Abreast of Security News. Finally, stay informed about the latest cybersecurity threats and best practices to adapt your defenses accordingly.

Although there is no such thing as 100% protection, implementing these measures can significantly reduce your risk and make it harder for attackers to exploit vulnerabilities.

The post Citrix and Adobe Vulnerabilities Under Active Exploitation appeared first on Gridinsoft Blog.

Let me remind you that earlier the developers have already warned that they will ask users to remove Adobe Flash from their machines by the end of the year.

In the latest update, the actual date of “death” of Flash is decided: January 12, 2021, after which any type of Flash content will not be launched inside the application.

The fact is that even if the user does not bother to uninstall Flash on his own, a few months ago the company added a kind of “time bomb” to the code, which will prevent the application from being used in the future.

It is also worth recalling that in October this year, Microsoft already released an update that removes Adobe Flash from all versions of Windows 10 and Windows Server, and also prevents it from being reinstalled on the device.

The “death” of Flash is expected to have minimal impact on the web ecosystem, as, according to a study by W3Techs, only 2.3% of sites still use Flash, which means that this figure has significantly decreased in recent years (for example, in 2011, the market share Flash was 28.5%).

Along with the release of the latest update, Adobe took the time to thank all Flash users and web developers who have been using it in their everyday lives and work for so many years:

Let me remind you that OS Windows 7 was also hard and reluctant to leave us: Microsoft released farewell updates for Windows 7 in january 2020, but My Digital Life forum community has found an illegal way to extend support for Windows 7.

The post Flash content will be blocked from January 12, 2021 appeared first on Gridinsoft Blog.

In July did not reach the record of June Tuesday only a little, when were fixed129 vulnerabilities.

The most serious vulnerability fixed this time is the CVE-2020-1350 problem, also known as SigRed, found as part of the Windows DNS Server. The vulnerability was discovered by Check Point specialists and scored 10 points out of 10 on the CVSSv3 vulnerability rating scale.

Other major issues this month included vulnerabilities that could allow remote code execution that were discovered as part of:

• RemoteFX vGPU component in the Microsoft Hyper-V hypervisor (CVE-2020-1041, CVE-2020-1040, CVE-2020-1032, CVE-2020-1036, CVE-2020-1042, CVE-2020-1043);
• Jet Database Engine, included in some Office applications (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407);
• Microsoft Word (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448);
• Microsoft Excel (CVE-2020-1240);
• Microsoft Outlook (CVE-2020-1349);
• Microsoft Sharepoint (CVE-2020-1444);
• Windows LNK shortcut files (CVE-2020-1421);
• various Windows graphics components (CVE-2020-1435, CVE-2020-1408, CVE-2020-1412, CVE-2020-1409, CVE-2020-1436, CVE-2020-1355).

Adobe, in turn, has fixed more than a dozen vulnerabilities in products such as Creative Cloud, Media Encoder, Genuine Service, ColdFusion, and Download Manager.

So, in the Windows version of Download Manager, Adobe fixed a critical error that allowed the introduction of commands, which could lead to the execution of arbitrary code.

“In Media Encoder for Windows and macOS, were resolved two critical out-of-bounds writing issues that could also lead to arbitrary code execution, as well as an out-of-bounds reading error that entailed information disclosure”, – report Adobe experts.

A critical vulnerability has also been fixed in the desktop version of Creative Cloud. The problem is with symbolic links, which can allow an attacker to write arbitrary files to the target system. Three other vulnerabilities detected in the application are marked as important and allow increasing privileges in the system.

As part of the Genuine Service, have been fixed two bugs that allow privilege escalation, as well as in ColdFusion.

Recent patches include disclosure in NetWeaver (CVE-2020-6285) and several not-so-dangerous errors in Disclosure Management (CVE-2020-6267), Business Objects (CVE-2020-6281, CVE-2020-6276), NetWeaver AS JAVA (CVE-2020-6282) and Business Objects BI (CVE-2020-6278, CVE-2020-6222).

Also this month were released patches for the products of other vendors, including several updates from VMware, fixing about a hundred errors from Oracle (the highest CVSS score is 8.8 points for CVE-2016-1000031 vulnerability), and also updated Chrome, where One critical error and seven high-severity flaws were corrected.

The post On July “Patch Tuesday”, only Microsoft fixed 123 vulnerabilities appeared first on Gridinsoft Blog.