NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2013-043

DATE(S) ISSUED:
5/07/2013

SUBJECT:
Multiple Vulnerabilities In Adobe ColdFusion Could Allow Security Bypass

OVERVIEW:

Multiple vulnerabilities have been discovered in Adobe ColdFusion that could permit an unauthorized user to take complete control of an affected system.  Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications.  Successful exploitation could result in an attacker gaining the same privileges as ColdFusion Administrator which will provide complete control of the affected server.

SYSTEMS AFFECTED:

  • Adobe ColdFusion 9.0.2
  • Adobe ColdFusion 9.0.1
  • Adobe ColdFusion 9.0
  • Adobe ColdFusion 10

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High (if hosting a website using Adobe ColdFusion)

DESCRIPTION:
Multiple vulnerabilities have been discovered in ColdFusion that that could permit an unauthorized user to remotely circumvent authentication controls, permit unauthorized user access to restricted directories, execute remote code, allow information disclosure from a compromised server and potentially allowing the attacker to take control of the affected server. The update provided by Adobe resolves the following:

  • Adobe ColdFusion contains a flaw that is triggered if RDS is disabled during install, but enabled post-install, as it causes the configured password to unset. This may allow a remote attacker to bypass expected authentication controls and result in gaining administrative access (CVE-2013-0632).
  • Adobe ColdFusion contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the CFIDE/componentutils/cfcexplorer.cfc script not properly sanitizing user input, specifically directory traversal style attacks supplied via the 'path' parameter when 'method' is set to: 'getcfcinhtml' and 'name' is set to: 'CFIDE.adminapi.administrator'. This directory traversal attack would allow an attacker to disclose the contents of arbitrary files on the system. (CVE-2013-0629).
  • Adobe ColdFusion contains a flaw that may lead to unauthorized disclosure of information. The issue is due to an unspecified error, which may allow a remote attacker to gain access to potentially sensitive information from a compromised server. (CVE-2013-0631).
  • Adobe ColdFusion contains a flaw in the CFIDE/administrator/scheduler/scheduleedit.cfm script when editing scheduled tasks. The issue is triggered as the 'ScheduledURL' variable allows specifying an arbitrary resource to save to system as specified by the 'publish_file' variable and then schedule this task to be executed at a set time. With a specially crafted request, a remote attacker can execute arbitrary code. (CVE-2013-0625).

Successful exploitation could result in an attacker gaining the same privileges as ColdFusion Administrator which will provide complete control of the affected server.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Install the updates provided by Adobe immediately after appropriate testing
  • Set the password for Remote Development Services (even if RDS is disabled), enable password protection for RDS, and set the Administrator password and enable password protection for Administrator.
  • Disable external access to the following directories for all hosted sites:
    • /CFIDE/administrator
    • /CFIDE/adminapi
    • /CFIDE/componentutils
  • Refer to the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide for security best practices and further information on these hardening techniques.

REFERENCES:
Adobe:
http://www.adobe.com/support/security/advisories/apsa13-01.html
http://www.adobe.com/support/security/bulletins/apsb13-03.html

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0631
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0629
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0625
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0632

SecurityFocus:
http://www.securityfocus.com/bid/57330
http://www.securityfocus.com/bid/57166
http://www.securityfocus.com/bid/57165
http://www.securityfocus.com/bid/57164

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS