Patched ColdFusion Flaw Exposes Applications to Attack

Adobe pushed hotfixes to ColdFusion 11 and 10 installations addressing a XXE vulnerability that can be exploited processing OOXML documents.

An Adobe ColdFusion vulnerability addressed Tuesday in a hotfix pushed to users put applications developed on the platform at risk to a number of serious issues.

Researcher Dawid Golunski of Legal Hackers today revealed details on the flaw, which he privately disclosed to Adobe, as well as a proof-of-concept of the exploit.

Golunski said that ColdFusion 10 and 11 suffered from an XML External Entities (XXE) injection vulnerability, CVE-2016-4264, when processing certain types of Office Open XML documents. These functions, Golunski said, are used by web applications built in ColdFusion to open Word, Excel, PowerPoint and other document types that use XML structure.

“The vulnerability is caused by an unrestricted XML parser which allows for external XML entities processing when parsing such document,” Golunski wrote in his advisory. “Depending on the web application’s functionality and the attacker’s ability to supply a malicious document to be processed by a vulnerable ColdFusion application, this vulnerability may potentially be exploited by both low-privileged and unauthenticated remote attackers.”

An attacker can remotely exploit this vulnerability to read files stored on the ColdFusion server and on network shares, as well as list system directories and carry out server-side request forgery (SSRF) attacks and SMB relay attacks. SSRF attacks are carried out against systems behind the firewall that are not normally reachable from the outside. SMB relay attacks exploit issues in the SMB file-sharing protocol.

Golunski cautioned that attackers could also use this bug to read critical ColdFusion configuration files such as neo-security.xml, password.properties, and neo-datasource.xml, all of which store credential information, including the ColdFusion admin’s password salt and hash and database credentials. An attacker might also be able to access application source code and other sensitive system files, he said.

“Attackers who have gained access to password hashes could then proceed to crack them in order to gain unauthorized access to the databases and ColdFusion administrator panels to fully compromise the target,” Golunski said.

“The ability to read arbitrary files could, for example, let attackers read ColdFusion password hashes including the management console and database credentials,” he added. “This could allow unauthorized access to a weakly protected ColdFusion management interfaces and ultimately upload malicious code to compromise the server.”

Adobe rolled out hotfixes to ColdFusion 10 and 11 installations on Tuesday; unlike patches, hotfixes do not require system reboots. ColdFusion 11 Update 9 and earlier along with ColdFusion 10 Update 20 and earlier were affected, Adobe said. Adobe added that ColdFusion 2016 is not affected.

Users should ensure that ColdFusion 11 is current at Update 10, while ColdFusion 10 should be at Update 21.

ColdFusion has been targeted before by hackers, most notably in 2013 when attackers used a ColdFusion zero day to compromise web host Linode. Source code and customer data was accessed in that attack.

Suggested articles