hackers mix vulnerabilities, bypass patches and install web shells

Cybercriminals are actively exploiting two zero-day vulnerabilities at once in Adobe cold fusionto bypass authentication and remotely execute commands to install web shells on affected servers.

Active exploitation was found researchers from Rapid7who have noticed that attackers bundle together exploits to bypass access control ( CVE-2023-29298 ) and a critical remote code execution vulnerability ( CVE-2023-38203 ) to make your attacks more effective.

July 11 Adobe disclosed ColdFusion Authentication Bypass Vulnerability CVE-2023-29298 discovered by researchers at Rapid7, and vulnerability remote code execution before authentication with an identifier CVE-2023-29300, discovered by researchers from CrowdStrike.

CVE-2023-29300 is a deserialization vulnerability rated Critical with a severity rating of 9.8 as it could be used by unauthorized attackers to remotely execute commands on vulnerable Coldfusion 2018, 2021 and 2023 servers in low complexity attacks.

Although this vulnerability was not exploited at that time, the Project Discovery blog on July 12 was published technical post from PoC-exploit for CVE-2023-29300, but this post was later removed.

Rapid7 researchers say that Adobe promptly fixed this vulnerability by blacklisting the Web Distributed Data eXchange (WDDX) library to prevent the creation of malicious gadget chains.

“Probably Adobe can’t completely remove this WDDX functionality, as it affected many elements that rely on it, so instead of preventing deserialization of WDDX data, Adobe implemented a blacklist of Java class paths that cannot be deserialized (i.e., an attacker cannot can point to a deserialization gadget located in those classpaths),” Rapid7 explained.

On July 14, Adobe released an unscheduled security update for the CVE-2023-38203 vulnerability. Rapid7 believes that this vulnerability bypasses the fix for CVE-2023-29300, the researchers even found a suitable chain to achieve remote code execution. Therefore, it is simply impossible to delay installing the fix.

However, despite the availability of a patch from Adobe for CVE-2023-38203, Rapid7 says that the fix for their CVE-2023-29298 vulnerability can still be bypassed, so we should probably expect another patch from Adobe in the near future. time.

While Adobe advises administrators to “lock down” ColdFusion installations to increase security and provide better protection against attacks, cybersecurity experts believe that attackers can effectively exploit multiple vulnerabilities in their attacks to bypass Adobe patches.

“This combination allows code to be executed remotely against a vulnerable ColdFusion instance, even if it is configured in blocked mode,” Project Discovery researchers noted in their remote report.

Yesterday, Rapid7 experts stated in the aforementioned report that they have begun to detect attackers that combine exploits for the CVE-2023-29298 vulnerability with the PoC exploit that was published by experts from Project Discovery. Hackers are reportedly using these exploits to bypass security and install web shells on vulnerable ColdFusion servers in order to gain remote access to devices.

Although Rapid7 has stated that there is currently no patch to fully fix CVE-2023-29298, for correct operation exploit a second vulnerability such as CVE-2023-38203 is required. So installing the latest version of ColdFusion will prevent the exploit chain unless the attackers come up with some new workaround.

Due to real exploitation of the vulnerabilities found, system administrators are strongly advised to update their ColdFusion servers to the latest version to fix the vulnerability and prevent malicious exploitation.