Multiple Adobe ColdFusion flaws exploited in the wild

Threat actors have exploited multiple flaws in Adobe ColdFusion in the wild, according to Rapid7 research published Monday, including a zero-day vulnerability that security vendor Project Discovery inadvertently published last week.

Rapid7's research regards a number of vulnerabilities Adobe disclosed on July 11 for its ColdFusion product, a popular application server first released in 1995. Adobe released updates at the time for three flaws: improper access control flaw CVE-2023-29298 (CVSS score 7.5), deserialization flaw CVE-2023-29300 (CVSS score 9.8) and authentication bypass flaw CVE-2023-29301 (CVSS score 5.9).

On July 13, Rapid7 observed CVE-2023-29298, which the security vendor discovered, being chained with another vulnerability in the wild. That vulnerability, Rapid7 believes, was CVE-2023-38203, a critical deserialization flaw capable of arbitrary code execution (CVSS score 9.8).

CVE-2023-38203 was first published by vulnerability management vendor Project Discovery in a blog post on July 12 that provided a technical analysis and proof-of-concept exploit for CVE-2023-29300. The blog post, which Project Discovery later took down, did not cite CVE-2023-38203. According to a tweet from Project Discovery at the time, the vendor referred to the post as CVE-2023-29300 research.

However, Rapid7 head of vulnerability research Caitlin Condon wrote in Rapid7's Monday post that Project Discovery's research turned out to be a zero-day exploit chain for CVE-2023-38203.

"It's highly likely that Project Discovery thought they were publishing an n-day exploit for CVE-2023-29300 in their July 12 blog post," she wrote. Adobe fixed the new exploit chain in an out-of-band update on July 14.

This likely happened, Condon said, because "the patch for CVE-2023-29300 implements a denylist of classes that cannot be deserialized by the Web Distributed Data eXchange (WDDX) data that forms part of some requests to ColdFusion." She said Project Discovery researchers apparently found a class not on the denylist that could "be used as a deserialization gadget to achieve remote code execution."

"The Project Discovery team probably did not realize their discovery was a new zero-day vulnerability and (we assume) took down their blog while Adobe fixed the flaw," Condon wrote. "On Friday July 14, Adobe published an out-of-band patch for CVE-2023-38203 -- a new deserialization vulnerability. The only thing this patch does is add the class path !com.sun.rowset.** to the denylist, breaking the exploit Project Discovery had published on July 12."

UPDATE: In an email to TechTarget Editorial, Condon said vulnerability research "is often an art as much as a science," and that determining whether a researcher found the exact vulnerability that got patched or not can involve significant guesswork. She also said she doesn't fault Project Discovery for publishing its proof-of-concept exploit for CVE-2023-29300 the day after the vulnerability's public disclosure.

"Threat actors benefit from secrecy around vulnerabilities and attack capabilities; the security community doesn't," Condon said. "The vendor now knows about the bypass for CVE-2023-29300, and while the exact disclosure process there might have been an accident, that certainly doesn't mean it was in bad faith."

Project Discovery has not responded to TechTarget Editorial's request for comment at press time.

The Rapid7 blog also identified a second issue. Condon said the vendor on Monday found that Adobe's July 11 patch for CVE-2023-29298 was incomplete "and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14)."

She said there is no current mitigation for the bypass, but because it requires a second vulnerability to work, patching CVE-2023-38203 via the July 14 update should address the issue.

An Adobe spokesperson told TechTarget Editorial that the company is "aware of the bypass reports" and "currently developing a more comprehensive resolution."

"Our team will release an update as soon as it is available," the spokesperson said.

Alexander Culafi is a writer, journalist and podcaster based in Boston.