Security researchers at Rapid7 have discovered multiple vulnerabilities being actively exploited in Adobe ColdFusion, a web development computing platform.
On July 11, 2023, Adobe released an access control bypass vulnerability (CVE-2023-29298) found in Rapid7, as well as an insecure deserialization vulnerability (CVE-2023-29298) that allowed the execution of arbitrary code. 2023-29300) has released patches for several vulnerabilities affecting ColdFusion.
However, Rapid7 recently confirmed that some of these vulnerabilities are still being exploited days later, and some are incompletely patched. They published their research in a July 17 advisory.
Confusion between two vulnerabilities
The researchers explained that the issue was caused by confusion between two deserialization vulnerabilities.
The July 11th patch for the Insecure Deserialization Vulnerability implements a deny list of classes that cannot be deserialized by the Web Distributed Data eXchange (WDDX) data that forms part of some requests to ColdFusion. I was.
However, researchers at the open source Project Discovery initiative have found a workaround using classes not on Adobe’s deny list. This workaround can be used as a deserialization gadget for remote code execution.
They published their findings first, and soon after took it down July 12th.
Rapid7 believes that “it is very likely that Project Discovery thought they had published an n-day exploit for CVE-2023-29300.” [while]In fact, what Project Discovery was detailing was a new zero-day exploit chain. (CVE-2023-38203).
Adobe has released a security update for CVE-2023-38203, but at the time of this writing the CVE record is still in “Reserved” status, meaning a patch is still under review.
Adobe CVE-2023-29298 Patch Incomplete
Additionally, Rapid7 appears to have threat actors exploiting CVE-2023-29298 in combination with CVE-2023-38203, with a briefly modified exploit being released in the latest version of ColdFusion (released July 14). I observed that it still works for -2023-29298 is incomplete.
“While there are currently no mitigations for CVE-2023-29298, the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability that runs entirely on the target system. Updating to the latest version of ColdFusion that fixes CVE-2023-38203 also prevents the attacker’s behavior observed by the MDR team,” the advisory states.
Rapid7 has notified Adobe of its findings.
