Wednesday, November 13, 2024
HomeAdobeHackers Actively Exploit Multiple Adobe ColdFusion Vulnerabilities

Hackers Actively Exploit Multiple Adobe ColdFusion Vulnerabilities

Published on

Malware protection

On July 11, Adobe coordinated with the vendor to fix several ColdFusion vulnerabilities, including CVE-2023-29298.

But it’s been reported that there are two ColdFusion vulnerabilities that hackers are actively exploiting to perform the following illicit tasks:

  • Bypass authentication
  • Remotely execute commands
  • Install webshells on vulnerable servers

Rapid7 detected Adobe ColdFusion exploitation on July 13, with threat actors leveraging “CVE-2023-29298” and a related unpublished vulnerability tracked as “CVE-2023-38203.”

- Advertisement - SIEM as a Service

Active exploitation

Project Discovery mistakenly disclosed an n-day exploit for what they believed to be CVE-2023-29300, but Adobe fixed it in an out-of-band update on July 14.

The CVE-2023-29300 patch blocks specific class deserialization in ColdFusion’s WDDX data, preventing gadget-based attacks without breaking existing dependencies.

The Project Discovery authors identified a functional gadget, leveraging com.sun.rowset.JdbcRowSetImpl can achieve remote code execution as it’s not on Adobe’s Denylist.

Project Discovery unknowingly found a new zero-day flaw, leading Adobe to release an out-of-band patch on July 14, blocking the exploit by denying the classpath:

  • !com[.]sun.rowset.**

Rapid7 found Adobe’s patch for CVE-2023-29298 incomplete since a modified exploit still works in the latest ColdFusion version. While no mitigation exists, updating to the newest version fixing CVE-2023-38203 can prevent observed attacker behavior.

Affected Products

Below, we have mentioned the vulnerable versions of ColdFusion:

  • Adobe ColdFusion 2023 Update 1
  • Adobe ColdFusion 2021 Update 7 and below
  • Adobe ColdFusion 2018 Update 17 and below

Patched versions of ColdFusion

Here below, we have mentioned all the patched versions of ColdFusion:

  • Adobe ColdFusion 2023 Update 2
  • Adobe ColdFusion 2021 Update 8
  • Adobe ColdFusion 2018 Update 18

But all the above-mentioned versions are patched against CVE-2023-338203; they are still vulnerable to CVE-2023-29298.

Rapid7 researchers noticed several POST requests to use this exploit in IIS logs. y were all sent to “accessmanager.cfc.”

POST requests (Source: – Rapid7)

Detection rules

Here below, we have mentioned all the detection rules:

  • Webshell
  • Attacker Technique
  • Attacker Tool
  • Attacker Technique
  • PowerShell
  • Suspicious Process

Mitigation

Moreover, cybersecurity analysts have strongly recommended that all users of Adobe ColdFusion immediately update their version to the latest one and also block the oastify[.]com domain.

Also, consider using the serialfilter.txt file in <cfhome>/lib to denylist packages with deserialization vulnerabilities, as advised in Adobe’s July 14 advisory.

IOCs

IP addresses:

  • 62.233.50[.]13
  • 5.182.36[.]4
  • 195.58.48[.]155

Domains:

  • oastify[.]com
  • ckeditr[.]cfm (SHA256 08D2D815FF070B13A9F3B670B2132989C349623DB2DE154CE43989BB4BBB2FB1)

Latest articles

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

Chrome 131 Released with the Fix for Multiple Vulnerabilities

The Chrome team has officially announced the release of Chrome 131 for Windows, Mac,...

Ivanti Warns of Critical Vulnerabilities in Connect Secure, Policy Secure & Secure Access

Ivanti, the well-known provider of IT asset and service management solutions, has issued critical...

Thousands of EOL D-Link Routers Vulnerable to Password Change Attacks

In a critical security disclosure, it has been revealed that thousands of end-of-life (EOL)...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

Chrome 131 Released with the Fix for Multiple Vulnerabilities

The Chrome team has officially announced the release of Chrome 131 for Windows, Mac,...

Ivanti Warns of Critical Vulnerabilities in Connect Secure, Policy Secure & Secure Access

Ivanti, the well-known provider of IT asset and service management solutions, has issued critical...