Adobe ColdFusion is a rapid web app development platform using a proprietary scripting language CFML (ColdFusion Markup Language). Just a few days ago, on March 14th, Adobe released a security update for ColdFusion patching a couple of vulnerabilities:
- CVE-2023-26359
- CVE-2023-26360
- CVE-2023-26361
On March 15th CISA published an alert regarding CVE-2023-26360, where they referenced NVD’s database entry regarding CVE-2023-26360. Following the link, we find ourselves looking at this:
We went on to try and find the other two records of the patched vulnerabilities, but we kept seeing the above page.
This seemed a bit off as the link in the CISA alert implies that there was a registered entry at some point, seemingly removed afterward. We found some other blog postings as well referencing the NVD’s CVE-2023-26360 nonexistent link, which made us keep looking if there was any mention of these issues elsewhere. At CVE we found out that the pages for these issues were already reserved by a certain CNA (CVE Numbering Authority), but with no further information.
Finally, looking at MITRE, we saw that all 3 vulnerabilities have their entries reserved since the 22nd of February, which is the oldest record of their existence we were able to find.
The philosophical approach to Information Security - Standard practice
Many software companies welcome the public to test the security of their applications with adequate permission and in a controlled environment, but most of them specifically appeal to bounty hunters and testers to privately and securely disclose the bugs they find, rather than disclosing them to the public.
Bruce Schneier’s “utopian” Information Security philosophy.
Not many people agree that secrecy is the best solution regarding public security, especially when the vulnerability has already been exploited in the wild.
Bruce Schneier has made several statements about the importance of transparency in information security. This quote is from his book "Secrets and Lies: Digital Security in a Networked World":
"Security is a process, not a product. It's not something you buy, it's something you do. Information security is about the processes we use to handle risk. It's about confidentiality, integrity, and availability of data. But most of all, it's about trust. And trust is about transparency: not hiding what we're doing."
What we know
Let’s analyze the limited information given out by Adobe in their security bulletin. Adobe claims that the affected versions are ColdFusion 2018 (up to update 15) and ColdFusion 2021 (up to update 5). Sensor Tech Forum, The Hacker News, and Bleeping Computer blogs have published posts saying that ColdFusion 2016 and ColdFusion 11 are also impacted, some even stating that these are zero-day issues, raising the question: does this concern even more people?
We couldn’t verify this information with the official CVE sources or Adobe, so it’s a bit odd that we are kept in the dark by the CNAs. We should have in mind that it is not uncommon for CNAs to “responsibly disclose” the issues, especially if they pose a great threat to the software manufacturer and/or their clients in terms of losing reputation, finances, the integrity of their data, and intellectual knowledge.
Who is protected by silence?
If the claims about ColdFusion 2016 and 11 are true, the users who are still on these versions are destined to pay a buck, as those two products have expired their EoL (End of Life) and won’t be receiving a security update. With such little information, the users of the older versions can’t even hope for a workaround, hotfix, or even advice on how to mitigate the risk of being targeted.
It seems like this “secretive” policy is not really working out, and silence yet again proves not to be the answer.
Going Deep - CVE-2023-26360
As we can only find so little, we had to take what was given. Both CVE-2023-26359 and CVE-2023-26360 are critical vulnerabilities resulting in arbitrary code execution, but we had to pick one. Recently, we posted about the XStream flaw CVE-2021-39144 that had the same Common Weakness Enumeration (CWE-502) as CVE-2023-26359, where we learned that filtering and sanitization of input streams can mitigate the risk of these sorts of mishaps.
Although CVE-2023-26359 has a 9.8 CVSS score, for the purpose of mixing things up, we’ve decided to explore the 8.6 CVSS base score vulnerability CVE-2023-26360, that’s affected by an Improper Access Control (CWE-284). The only concrete data that we have on this vulnerability is its CVSS vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
This is what it means:
- Attack Vector (AV): Network (N):
The vulnerability can be exploited over the network.
- Attack Complexity (AC): Low (L):
The attacker does not require specialized conditions to exploit the vulnerability.
- Privileges Required (PR): None (N):
The attacker does not need any privileges to exploit the vulnerability.
- User Interaction (UI): None (N):
The vulnerability can be exploited without any interaction from the user.
- Scope (S): Changed (C):
The vulnerability can affect the confidentiality of the system, but not its integrity or availability. - Confidentiality (C): High (H):
The vulnerability can result in the disclosure of sensitive information.
- Integrity (I): None (N):
The vulnerability does not affect the integrity of the system. - Availability (A): None (N):
The vulnerability does not affect the availability of the system.
These are the standardized metrics used to score the vulnerabilities. In summary, this vulnerability is considered critical. It can be exploited remotely over the network without any user interaction whatsoever or privileged access and can potentially result in the leakage of sensitive information.
Mitigation
Adobe ColdFusion is typically used in online environments, but it is also possible to use it offline. This can be useful for enterprises that need to develop and test web applications in a controlled environment without the risks and complexities that can arise with online deployments.
On the other hand, some enterprises may choose to use Adobe ColdFusion offline for security reasons and concerns that are the direct result of these vulnerabilities, which also seems like the best advice to give.
Subscribe to be updated on the new content!