Security researchers from Rapid7 have found active exploitation of multiple vulnerabilities in Adobe ColdFusion, a web development computing platform.
On July 11, 2023, Adobe released patches for several vulnerabilities affecting ColdFusion, including a Rapid7-discovered access control bypass vulnerability (CVE-2023-29298) and an insecure deserialization vulnerability allowing arbitrary code execution (CVE-2023-29300).
However, Rapid7 has recently observed that some of these vulnerabilities were still being exploited several days later and that some patches were incomplete. They published their research in an advisory on July 17.
Confusion Between Two Vulnerabilities
The researchers explained that the issue was due to confusion between two deserialization vulnerabilities.
The July 11 patch for the insecure deserialization vulnerability implemented a denylist of classes that cannot be deserialized by the Web Distributed Data eXchange (WDDX) data that forms part of some requests to ColdFusion.
However, researchers from the open-source Project Discovery initiative found a workaround using a class not on Adobe’s denylist and can be used as a deserialization gadget to achieve remote code execution.
Rapid7 believes that “it’s highly likely that Project Discovery thought they were publishing an n-day exploit for CVE-2023-29300 [while], in actuality, what Project Discovery had detailed was a new zero-day exploit chain,” CVE-2023-38203.
Adobe published a security update for CVE-2023-38203, but the CVE record is still in the ‘reserved’ state at the time of writing, meaning the patch is still under review.
Adobe CVE-2023-29298 Patch Incomplete
Moreover, Rapid7 observed that threat actors appear to be exploiting CVE-2023-29298 in conjunction with CVE-2023-38203 and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14), meaning that the patch for CVE-2023-29298 is incomplete.
“There is currently no mitigation for CVE-2023-29298, but the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability for full execution on target systems. Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing,” reads the advisory.
Rapid7 has notified Adobe of its findings.