Critical Adobe ColdFusion flaws chained in ongoing cyber attacks

Two vulnerabilities in the Adobe ColdFusion platform are being actively exploited by threat actors in a series of cyber attacks, apparently after a proof of concept (PoC) for one of them was accidentally released to the public by researchers.

The two vulnerabilities in question are CVE-2023-29298, an access control bypass flaw, and CVE-2023-38203, a remote code execution flaw, and together they seem to be being used to drop web shells on vulnerable ColdFusion instances in the service of enabling further attacks.

However, according to Caitlin Condon of Rapid7, who has been tracking the vulnerabilities and posted new evidence detailing the exploit chain being used late on Monday 17 July, some confusion seems to have arisen over exactly what is going on.

The background to the issue runs thus. On Tuesday 11 July (Patch Tuesday), Adobe released fixes for three bugs in ColdFusion – CVE-2023-29298, CVE-2023-29300 and CVE-2023-29301. Of these, the first had been disclosed to Adobe by Rapid7’s Stephen Fewer and the second by CrowdStrike’s Nicolas Zilio (the third is not relevant to this narrative), but on 14 July, Condon said that Rapid7 began seeing attacks on ColdFusion environments at several of its customers. Based on its observations, the threat actor in question seemed to be chaining CVE-2023-29298 with a second vulnerability.

The behaviour exhibited by the attacker suggested to Rapid7’s observers that the second vulnerability in the chain was CVE-2023-38203, which was fixed by Adobe on Friday 14 July in an out-of-sequence patch after being disclosed by researchers at Project Discovery.

In its patch notes, Adobe said it was also aware a PoC for CVE-2023-38203 had been published. This PoC appears to have been contained in a now-removed 12 July blog post by the Project Discovery team. However, this blog post was billed as being an analysis of CVE-2023-29300.

“It’s highly likely that Project Discovery thought they were publishing an N-day exploit for CVE-2023-29300 in their 12 July blog post,” said Condon. “Adobe [had] published a fix for CVE-2023-29300, which is a deserialisation vulnerability that allows for arbitrary code execution, on 11 July, [but] in actuality, what Project Discovery had detailed was a new zero-day exploit chain.”

What seems to have happened, said Condon, is that the patch for CVE-2023-29300 fixed it by implementing a deny list of classes that can’t be deserialised by the Web Distributed Data eXchange (WDDX) data that forms part of some requests to ColdFusion – most likely because removing WDDX functionality entirely would break a lot of things.

She said that Project Discovery had evidently found a class not on the deny list that could be used as a deserialisation “gadget” to achieve remote code execution – this bypass being CVE-2023-38203, which thus rendered the fix for CVE-2023-29300 null and void.

“The Project Discovery team probably did not realise their discovery was a new zero-day vulnerability and (we assume) took down their blog while Adobe fixed the flaw,” she said.

The 14 July Adobe patch adds one class path to the deny list, thus breaking the exploit chain enabled by CVE-2023-38203.

Condon added that Rapid7 had additionally determined the fix provided for CVE-2023-29298 was incomplete and that a trivially modified exploit still worked against the most up-to-date versions of ColdFusion (that being the version with the 14 July patch applied).

Rapid7 is in dialogue with Adobe to fix the incomplete patch, but fortunately because the exploit chain observed in the wild relies on the second vulnerability to complete, applying the 14 July patch for CVE-2023-38203 will be enough to mitigate the attacks for now.

More technical data on the exploit chain, including indicators of compromise, can be obtained via Rapid7.