Possible Criminal Exploitation of CVE-2018-15961Īfter identifying APT exploitation of CVE-2018-15961, Volexity examined several ColdFusion webservers that were Internet accessible.
#Adobe coldfusion 11 updates update#
jsp file extension was added to the default list of disallowed files (shown above) during the update from Adobe the path modification issue was also addressed. jsp file extension had been on the block list, the attackers could have placed another script or executable file somewhere on the system in an attempt to compromise it (likely during startup following reboot). The attackers also identified a directory modification issue through the ' path' form variable that allowed them to change the directory to where uploaded files would be placed. jsp file extension in the default configuration, which was problematic because ColdFusion allows. The APT group observed by Volexity identified that Adobe did not include the. This setting will prevent the upload of any files that have a file extension matching the configuration snippet above. The relevant (and default) setting from this file is shown below. It should be noted that ColdFusion does attempt to restrict the file types that are allowed for upload via CKEditor in a configuration file called settings.cfm. Volexity observed the APT group exploit CVE-2018-15961 in order to upload the JSP version of China Chopper and execute commands on the impacted web server before being cut off. POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm?action=upload HTTP/1.1Īccept: text/html, application/xhtml+xml, */* Below is a redacted POST request showing, in part, how the vulnerability was exploited. The vulnerability is easily exploited through a simple HTTP POST request to the file upload.cfm, which is not restricted and does not require any authentication. Volexity observed exploitation of this vulnerability approximately two weeks after Adobe released the update.
![adobe coldfusion 11 updates adobe coldfusion 11 updates](http://thankyou.adobe.com/en/na/products/CF/v1/images/header.jpg)
Volexity provided additional details about the attack and Adobe then quickly escalated the severity of this vulnerability to a Priority 1 issue. At the time of contact, Adobe was not aware of any active exploitation of this vulnerability in the wild. Volexity worked with Adobe to verify the issue being exploited was CVE-2018-15961. Nothing that has been published publicly describes the vulnerability or provides any insight into the issue being tied to CKEditor. This older issue was addressed in APSB09-09.Īccording to APSB18-33, the vulnerability was identified, among other issues, by Foundeo, a company that specializes in ColdFusion development and consulting. This issue bears surprising similarities to an unauthenticated file upload vulnerability tied to FCKeditor that was identified in ColdFusion in 2009. It appears that when Adobe decided to replace FCKeditor with CKEditor, they inadvertently introduced an unauthenticated file upload vulnerability. In previous version of ColdFusion, Adobe packaged the older WYSIWYG editor, FCKeditor. Modern versions of ColdFusion include the WYSIWYG rich text editor CKEditor. This effectively includes all versions of ColdFusion released over the last four years.Īdobe's ColdFusion web application development platform has historically been a major target of APT groups looking to compromise networks running it. Per the advisory, this vulnerability was assigned CVE-2018-15961 and affects ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release).
![adobe coldfusion 11 updates adobe coldfusion 11 updates](https://cfimages.adobe.com/files/2018/09/Update.jpeg)
On September 11, 2018, Adobe issued security bulletin APSB18-33, which fixed a variety of issues to include an unauthenticated file upload vulnerability. The target server was missing a single update from Adobe that had been released just two weeks earlier.
![adobe coldfusion 11 updates adobe coldfusion 11 updates](https://www.privacy.com.sg/wp-content/uploads/2021/03/ColdFusion.jpg)
In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell.
#Adobe coldfusion 11 updates code#
Volexity recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion, for which no public details or proof-of-concept code exists. If your organization is running an Internet-facing version of ColdFusion, you may want to take a close look at your server.