Adobe ColdFusion Deserialization Vulnerability

By

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Adobe ColdFusion is a powerful web development platform that enables developers to create dynamic, data-driven websites and applications with ease. ColdFusion Markup Language (CFML) is the programming language behind Adobe ColdFusion, offering a versatile and expressive syntax for writing server-side scripts. CFML combines the simplicity of HTML with the functionality of scripting languages, allowing developers to build web applications faster and more efficiently. Adobe ColdFusion’s robust set of features and integrations, such as support for Java, .NET, and various web services, makes it a popular choice among developers for creating scalable and high-performance web applications.

  Despite its many advantages, Adobe ColdFusion is not immune to security vulnerabilities, one of which is the insecure deserialization vulnerability. Insecure deserialization occurs when an application accepts serialized data from an untrusted source and deserializes it without proper validation or sanitization. This vulnerability can be exploited by attackers to execute arbitrary code, modify application data, or perform other malicious activities. In the context of Adobe ColdFusion, this vulnerability arises due to deserialization of untrusted data when processing HTTP parameters sent to ColdFusion Component (CFC) endpoints.

  A remote, unauthenticated, attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could result in arbitrary code execution in the security context of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-26360.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.0 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When a request is sent to a CFC endpoint, it is processed by the CFCServlet, which adds the ComponentFilter to the filter chain for both GET and POST requests. The invoke() method checks the cfclient parameter, and if set to “true,” it sets the cfclientCall flag of the FusionContext class to true. The GetArgumentCollection() method then retrieves the arguments from the argumentCollection HTTP parameter, and if its value begins with ‘{‘, it is deserialized using the deserializeJSON() method, which may also be called with the variables HTTP parameter value.

  The deserializeJSON() method results in parseObject(), where, if the cfclientCall flag is set, the convertToTemplateProxy() method is invoked. This method retrieves the metadata JSON property and the classname property within it, which is used to determine the full path to the referenced class file. The resolved file is sent to the resolveFile() method of the TemplateProxyFactory class, leading to the resolveName() method, which generates a ColdFusion page by calling the getCFCInstance() method, and subsequently, the newInstance() method of the TemplateClassLoader class.

  This method retrieves the Java class associated with the file by calling findClass() and fetch() of the TemplateCache class. If not found in the cache, the NeoTranslator class’s translateJava() method is called to obtain the class bytes. The method then creates an instance of TemplateReader, which reads the file header to identify the file type. Based on the header, the translateJava() method loads classes from the Java file or generates a Java class from CFML. The generated class is loaded, instantiated, and returned as a CfJspPage object. The resolveName() method then calls resolveComponentHelper(), which executes any compiled CFML tags on the page.

  An attacker can exploit this vulnerability by sending a crafted request to a valid CFC endpoint with the cfclient parameter set to true and a crafted argumentCollection or variables HTTP parameter containing a JSON object with a metadata property, including a classname property set to a file with attacker-controlled content. This could result in arbitrary code execution in the security context of SYSTEM.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker injects cfexecute tag into the log file. Next, the attacker sends a malicious HTTP request to the vulnerable server. The vulnerability is triggered when the affected software processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3711 Adobe ColdFusion Remote Code Execution 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Apply proper input validation and sanitization to any deserialized data.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.