Update 7/17/23: The article has been updated due to an erroneous disclaimer added by Adobe to its email notification. However, a newer version of the bug was considered by Rapid7 to be actively exploited.

Hackers are actively exploiting two ColdFusion vulnerabilities to bypass authentication and remotely execute commands to install webshells on vulnerable servers.

The active exploit was seen by researchers at Rapid7, who claim threat actors are chaining exploits for an access control bypass vulnerability (CVE-2023-29298) and what appears to be CVE-2023- 38203, a critical remote code execution vulnerability.

Bypassing Patches

July 11, Adobe leaked a ColdFusion authentication bypass tracked as CVE-2023-29298, discovered by Rapid7 researchers Stephen Fewer, and a pre-authentication RCE vulnerability tracked as CVE-2023-29300discovered by CrowdStrike researcher Nicolas Zilio.

CVE-2023-29300 is a deserialization vulnerability classified as critical with a severity rating of 9.8 because it can be used by unauthenticated visitors to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers during low complexity attacks.

Although the vulnerability was not exploited at the time, a recently removed technical blog post by Project Discovery was published on July 12 and contains a proof-of-concept exploit for CVE-2023-29300.

According to the now-deleted Project Discovery blog post, the vulnerability stems from insecure deserialization in the WDDX library.

“In conclusion, our analysis has revealed a significant vulnerability in the WDDX deserialization process in Adobe ColdFusion 2021 (Update 6),” explains the Project Discovery blog post.

“By exploiting this vulnerability, we were able to achieve remote code execution. The problem stemmed from an insecure use of the Java Reflection API which allowed the invocation of certain methods.”

Rapid7 reports that Adobe has addressed this vulnerability by adding a deny list for the Web Distributed Data eXchange (WDDX) library to prevent the creation of malicious gadget chains.

“Adobe is probably unable to completely remove this WDDX feature because that would break everything that depends on it, so instead of disallowing deserialization of WDDX data, they implement a deny list of Java classpaths that cannot be deserialized (so an attacker cannot specify a deserialization gadget located in these classpaths)”, explains a rapid7 report.

On July 14, Adobe released an out-of-band security update for CVE-2023-38203discovered by Project Discovery.

Rapid7 believes this vulnerability bypasses CVE-2023-29300, with researchers finding a chain of gadgets that can be used to achieve remote code execution.

Adobe’s OOB security update updates the deny list again to prevent a gadget via the ‘com.sun.rowset. JdbcRowSetImpl’, which was the class used in Project Discover’s PoC exploit.

Unfortunately, while this vulnerability appears to be fixed, Rapid7 says they discovered today that the fix for their CVE-2023-29298 flaw can still be bypassed, so we should expect another fix from Adobe soon,

Exploited in attacks

Adobe recommends that administrators confinement‘ ColdFusion installations to increase security and provide better defense against attacks.

However, Project Discovery researchers have warned that CVE-2023-29300 (and likely CVE-2023-38203) could be chained with CVE-2023-29298 to bypass lockdown mode.

“To exploit this vulnerability, typically, access to a valid CFC endpoint is required. However, if the default pre-authentication CFC endpoints cannot be accessed directly due to ColdFusion lockdown mode, it is possible to combine this vulnerability with CVE-2023-29298”, concludes the technical writing of Project Discovery.

“This combination allows remote code execution on a vulnerable ColdFusion instance, even when configured in locked down mode.”

Today Rapid7 says they have started seeing chain attacker exploits for the CVE-2023-29298 flaw and what appears to be the exploit demonstrated in the Project Discovery editorial office on July 13, a day after publication of technical writing.

Attackers use these exploits to bypass security and install webshells on vulnerable ColdFusion servers to gain remote access to devices.

These webshells were seen in the following folder:

.\ColdFusion11\cfusion\wwwroot\CFIDE\ckeditr.cfm

Although Rapid7 states that there is currently no patch to fully fix CVE-2023-29298, the exploit requires a second vulnerability, such as CVE-2023-38203. Therefore, installing the latest version of ColdFusion will prevent the exploit chain.

“Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior that our MDR team observes,” advises Rapid7.

Due to its exploitation in attacks, administrators are strongly advised to upgrade ColdFusion to the latest version to fix the flaw as soon as possible.

07/17/23: Article updated with information from Rapid7 and Adobe indicating that they erroneously warned that CVE-2023-29300 was being exploited.