ITS ADVISORY NUMBER:
Multiple Vulnerabilities In Adobe ColdFusion Could Allow Security Bypass
Multiple vulnerabilities have been discovered in Adobe ColdFusion that could permit an unauthorized user to take complete control of an affected system. Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications. Successful exploitation could result in an attacker gaining the same privileges as ColdFusion Administrator which will provide complete control of the affected server.
- Adobe ColdFusion 9.0.2
- Adobe ColdFusion 9.0.1
- Adobe ColdFusion 9.0
- Adobe ColdFusion 10
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High (if hosting a website using Adobe ColdFusion)
Multiple vulnerabilities have been discovered in ColdFusion that that could permit an unauthorized user to remotely circumvent authentication controls, permit unauthorized user access to restricted directories, execute remote code, allow information disclosure from a compromised server and potentially allowing the attacker to take control of the affected server. The update provided by Adobe resolves the following:
- Adobe ColdFusion contains a flaw that is triggered if RDS is disabled during install, but enabled post-install, as it causes the configured password to unset. This may allow a remote attacker to bypass expected authentication controls and result in gaining administrative access (CVE-2013-0632).
- Adobe ColdFusion contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the CFIDE/componentutils/cfcexplorer.cfc script not properly sanitizing user input, specifically directory traversal style attacks supplied via the 'path' parameter when 'method' is set to: 'getcfcinhtml' and 'name' is set to: 'CFIDE.adminapi.administrator'. This directory traversal attack would allow an attacker to disclose the contents of arbitrary files on the system. (CVE-2013-0629).
- Adobe ColdFusion contains a flaw that may lead to unauthorized disclosure of information. The issue is due to an unspecified error, which may allow a remote attacker to gain access to potentially sensitive information from a compromised server. (CVE-2013-0631).
- Adobe ColdFusion contains a flaw in the CFIDE/administrator/scheduler/scheduleedit.cfm script when editing scheduled tasks. The issue is triggered as the 'ScheduledURL' variable allows specifying an arbitrary resource to save to system as specified by the 'publish_file' variable and then schedule this task to be executed at a set time. With a specially crafted request, a remote attacker can execute arbitrary code. (CVE-2013-0625).
Successful exploitation could result in an attacker gaining the same privileges as ColdFusion Administrator which will provide complete control of the affected server.
We recommend the following actions be taken:
- Install the updates provided by Adobe immediately after appropriate testing
- Set the password for Remote Development Services (even if RDS is disabled), enable password protection for RDS, and set the Administrator password and enable password protection for Administrator.
- Disable external access to the following directories for all hosted sites:
- Refer to the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide for security best practices and further information on these hardening techniques.
Acting Chief Information Security Officer
- Cyber Security Home
- Incident Reporting
- Breach Notification
- Cyber Advisories
- NYS Digital Forensics
- Cyber Tips Newsletter
- Keeping Kids Safe Online
- Local Government
- Policies and Resources
- NY-ISAC Secure Portal