Adobe has addressed a critical vulnerability in its ColdFusion software, which could have allowed attackers to read files arbitrarily from the system.
The flaw, identified as CVE-2024-20767, has been patched, but the details surrounding the vulnerability shed light on the potential risks to sensitive information.
The vulnerability in question, CVE-2024-20767, was discovered in how Adobe ColdFusion handled file access permissions.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :
AcuRisQ, which helps you to quantify risk accurately:
Specifically, an issue was found within the ColdFusion component CFIDE/adminapi/_servermanager/servermanager.cfc, which is essentially a conglomerate of multiple bytecode files.
Attackers could exploit this by using the CAFEBABE prefix to split it into multiple bytecode files, thereby bypassing security measures.
A critical class, getHeartBeat, which inherits from UDFMethod and returns an access level of 3 through its getAccess method, was identified as the key to unauthorized access.
This class, due to its configuration in web.xml, could be invoked without proper authorization, leading to arbitrary file system read capabilities.
The vulnerability was further exacerbated by the MonitoringService’s getHeartBeat method, which, oddly enough, outputs the UUID of the ColdFusion.monitor.Configuration.
This UUID could then be used to access the PMSGenericServlet servlet without proper authentication, allowing for even more dangerous actions, such as arbitrary file reads when the module parameter is set to logging or downloading heap dumps if set to heap_dump.
According to a recent tweet by FofaBot, a critical vulnerability in Adobe ColdFusion, identified as CVE-2024-20767, has been discovered.
Adobe’s security bulletin, APSB24-14, published on March 12, 2024, highlights the affected versions of ColdFusion:
All platforms running these versions are at risk. Adobe categorizes this update with a priority rating of 3 and strongly recommends users update their installations to the newest versions to mitigate the risk.
The potential impact of CVE-2024-20767 is significant, as it allows attackers to read sensitive files from the system without authorization.
This could lead to the exposure of confidential information, system configurations, and even credentials stored on the server.
Adobe has not only released patches for ColdFusion but also recommends updating the ColdFusion JDK/JRE LTS version to the latest update release.
It’s crucial to note that applying the ColdFusion update without the corresponding JDK update will not fully secure the server.
For more detailed protection strategies against insecure Wddx deserialization attacks, Adobe directs users to the updated serial filter documentation available at their official support page.
Researchers, including an individual known as “ma4ter,” were credited with discovering CVE-2024-20767. They worked closely with Adobe to address the vulnerability.
Adobe maintains a private, invite-only bug bounty program with HackerOne, encouraging security researchers to report potential vulnerabilities.
As the digital landscape continues to evolve, discovering and patching vulnerabilities like CVE-2024-20767 underscore the importance of proactive security measures and the collaborative effort between software developers and the cybersecurity community.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The U.S. Department of Justice unsealed federal charges Thursday against Russian national Rustam Rafailevich Gallyamov,…
A comprehensive security research demonstration has revealed how attackers can systematically undermine modern zero-trust security…
A cybersecurity threat has emerged targeting one of the world's largest fast-food chains, as a…
The cybersecurity landscape witnessed a significant milestone this February with the emergence of BypassERWDirectSyscallShellcodeLoader, a…
Cybercriminals are increasingly targeting cryptocurrency users through sophisticated malware campaigns that exploit the trust placed…
Cybersecurity researchers have uncovered a sophisticated new formjacking malware campaign targeting WooCommerce-powered e-commerce websites, representing…