On July 11, Adobe coordinated with the vendor to fix several ColdFusion vulnerabilities, including CVE-2023-29298.
But it’s been reported that there are two ColdFusion vulnerabilities that hackers are actively exploiting to perform the following illicit tasks:
- Bypass authentication
- Remotely execute commands
- Install webshells on vulnerable servers
Rapid7 detected Adobe ColdFusion exploitation on July 13, with threat actors leveraging “CVE-2023-29298” and a related unpublished vulnerability tracked as “CVE-2023-38203.”
Active exploitation
Project Discovery mistakenly disclosed an n-day exploit for what they believed to be CVE-2023-29300, but Adobe fixed it in an out-of-band update on July 14.
The CVE-2023-29300 patch blocks specific class deserialization in ColdFusion’s WDDX data, preventing gadget-based attacks without breaking existing dependencies.
The Project Discovery authors identified a functional gadget, leveraging com.sun.rowset.JdbcRowSetImpl can achieve remote code execution as it’s not on Adobe’s Denylist.
Project Discovery unknowingly found a new zero-day flaw, leading Adobe to release an out-of-band patch on July 14, blocking the exploit by denying the classpath:
- !com[.]sun.rowset.**
Rapid7 found Adobe’s patch for CVE-2023-29298 incomplete since a modified exploit still works in the latest ColdFusion version. While no mitigation exists, updating to the newest version fixing CVE-2023-38203 can prevent observed attacker behavior.
Affected Products
Below, we have mentioned the vulnerable versions of ColdFusion:
- Adobe ColdFusion 2023 Update 1
- Adobe ColdFusion 2021 Update 7 and below
- Adobe ColdFusion 2018 Update 17 and below
Patched versions of ColdFusion
Here below, we have mentioned all the patched versions of ColdFusion:
- Adobe ColdFusion 2023 Update 2
- Adobe ColdFusion 2021 Update 8
- Adobe ColdFusion 2018 Update 18
But all the above-mentioned versions are patched against CVE-2023-338203; they are still vulnerable to CVE-2023-29298.
Rapid7 researchers noticed several POST requests to use this exploit in IIS logs. y were all sent to “accessmanager.cfc.”
Detection rules
Here below, we have mentioned all the detection rules:
- Webshell
- Attacker Technique
- Attacker Tool
- Attacker Technique
- PowerShell
- Suspicious Process
Mitigation
Moreover, cybersecurity analysts have strongly recommended that all users of Adobe ColdFusion immediately update their version to the latest one and also block the oastify[.]com domain.
Also, consider using the serialfilter.txt file in <cfhome>/lib to denylist packages with deserialization vulnerabilities, as advised in Adobe’s July 14 advisory.
IOCs
IP addresses:
- 62.233.50[.]13
- 5.182.36[.]4
- 195.58.48[.]155
Domains:
- oastify[.]com
- ckeditr[.]cfm (SHA256 08D2D815FF070B13A9F3B670B2132989C349623DB2DE154CE43989BB4BBB2FB1)
