top of page

Critical Access Control Bypass in Adobe ColdFusion: CVE-2023-29298 Exploitation and Mitigation

CVE Image for report on CVE-2023-29298

Executive Summary

CVE-2023-29298 is a high-severity access control bypass vulnerability affecting Adobe ColdFusion. This vulnerability allows an attacker to access the administration endpoints by inserting an unexpected additional forward slash character in the requested URL. The vulnerability has been actively exploited in the wild, making it critical for organizations using Adobe ColdFusion to address it promptly. The sectors and countries targeted by this vulnerability include various industries globally, with a particular focus on organizations in the United States and Europe.

Technical Information

CVE-2023-29298 is a critical flaw in the access control feature of Adobe ColdFusion, which is designed to restrict external access to the ColdFusion Administrator endpoints. The access control feature establishes an allow list of external IP addresses permitted to access these endpoints. When a request originates from an external IP address not present in the allow list, access to the requested resource is blocked.

However, an attacker can bypass this access control by inserting an additional forward slash character in the requested URL. This bypass allows the attacker to access every CFM and CFC endpoint within the ColdFusion Administrator path

/CFIDE/
, significantly increasing the attack surface. The following cURL command demonstrates how an attacker can exploit this vulnerability to access a restricted endpoint:

sh curl -v -k http://target-server:8500//CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo

In this example, the double forward slash in the URL path bypasses the access control, allowing the request to complete successfully.

The impact of this vulnerability includes unauthorized access to the ColdFusion Administrator interface, potential for brute-forcing credentials, leakage of sensitive information, and an increased attack surface, allowing attackers to target other vulnerabilities in exposed CFM and CFC files.

Exploitation in the Wild

Adobe has acknowledged that CVE-2023-29298 has been exploited in the wild in limited attacks targeting Adobe ColdFusion. The exploitation has been observed in conjunction with other vulnerabilities, such as CVE-2023-26360, to achieve remote code execution. By bypassing the access control, an attacker can reach a CFC endpoint and exploit CVE-2023-26360 to read sensitive files or execute arbitrary code.

APT Groups using this vulnerability

While specific APT groups exploiting CVE-2023-29298 have not been publicly identified, the nature of the vulnerability makes it a valuable target for advanced persistent threats seeking to gain unauthorized access to sensitive systems. The sectors and countries targeted by these APT groups include various industries globally, with a particular focus on organizations in the United States and Europe.

Affected Product Versions

The affected versions of Adobe ColdFusion include: Adobe ColdFusion 2023 Adobe ColdFusion 2021 Update 6 and below Adobe ColdFusion 2018 Update 16 and below

Workaround and Mitigation

Adobe released a fix for this vulnerability on July 11, 2023. The following versions remediate the issue: ColdFusion 2023 GA build ColdFusion 2021 Update 7 ColdFusion 2018 Update 17

Organizations using affected versions of Adobe ColdFusion should apply the updates provided by Adobe immediately to mitigate the risk of exploitation. Additionally, organizations should review their access control configurations and ensure that only trusted IP addresses are allowed to access the ColdFusion Administrator endpoints.

References

Rapid7 Blog on CVE-2023-29298 https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/ Adobe Security Bulletin APSB23-40 https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html MITRE CVE-2023-29298 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29298 Arctic Wolf Blog on CVE-2023-29298 https://arcticwolf.com/resources/blog/cve-2023-29298/ CISA Known Exploited Vulnerabilities Catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Rescana is here for you

At Rescana, we understand the critical importance of staying ahead of emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate vulnerabilities like CVE-2023-29298. We are committed to providing our customers with the tools and insights needed to protect their systems and data. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.

1 view0 comments

Comments


bottom of page