Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Weak ACLs in Adobe ColdFusion Allow Privilege Escalation

A newly disclosed vulnerability in Adobe ColdFusion could be exploited by unprivileged users for the execution of arbitrary code with SYSTEM privileges.

The popular commercial web-application development platform uses the CFML scripting language and is mainly used for the creation of data-driven websites.

A newly disclosed vulnerability in Adobe ColdFusion could be exploited by unprivileged users for the execution of arbitrary code with SYSTEM privileges.

The popular commercial web-application development platform uses the CFML scripting language and is mainly used for the creation of data-driven websites.

This week, Will Dormann, a security researcher with Carnegie Mellon University’s CERT Coordination Center (CERT/CC), revealed that the Adobe ColdFusion installer doesn’t create a secure access-control list (ACL) on the default installation directory.

Due to the lack of properly set ACL, any unprivileged user could create files in the platform’s directory structure, which leads to a privilege escalation security flaw.

An unprivileged user on a Windows computer, Dormann explains, could place a specially-crafted DLL file within the installation directory of Adobe ColdFusion, which would result in arbitrary code being executed with SYSTEM privileges. This type of attack is known as DLL hijacking.

Threat actors who have already established a foothold on a Windows machine running a vulnerable ColdFusion installation could target this vulnerability to execute malicious code with elevated privileges.

In the vulnerability note published on CERT/CC’s website, Dormann explains that mitigation steps for the security issue involve the use of the ColdFusion Server Auto-Lockdown installer.

“By default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself,” he notes.

Mitigations vary depending on the ColdFusion version in use: while auto-lockdown installers are available for ColdFusion 2018 and ColdFusion 2021, users of ColdFusion 2016 will have to apply the changes that Adobe has detailed in the ColdFusion 2016 Lockdown Guide.

Contacted by SecurityWeek, Adobe has confirmed the vulnerability: “Adobe worked with the researcher who brought this matter to our attention and mitigation steps are included within the researcher’s note.”

ColdFusion has long been a target of threat actors, and Adobe has patched at least a handful of vulnerabilities already exploited in attacks, either on Patch Tuesday or with out-of-band updates.

Applying the mitigation steps for the newly discovered vulnerability as soon as possible will help users ensure their systems are not exposed to attacks.

Related: Adobe Releases First Security Updates of 2021 as It Blocks Flash Content

Related: Adobe Patches Flaws in ColdFusion, After Effects, Digital Editions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.