Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

ColdFusion Hacks Point To Unpatched Systems

Several highly publicized hacks have been traced to unpatched ColdFusion vulnerabilities, collectively leading to one million records being stolen.

What do breaches involving the Department of Energy, Washington state's court system and the popular limo service CorporateCarOneline have in common? All were apparently running servers that sported outdated or unpatched versions of the ColdFusion application server software sold by Adobe. In addition, in at least two of the cases -- and possibly all three -- hackers exploited ColdFusion to access and steal sensitive data stored on the servers.

"ColdFusion-induced breaches are definitely on the rise, which teaches us that hackers and security researchers are looking into this platform more and more as a green field for hacking endeavors," said Barry Shteiman, director of security strategy at Web application firewall vendor Imperva, in a blog post. To date, furthermore, they've enjoyed great success at tapping "auxiliary functionality that is supposed to be used indirectly only by an administrator of the specific system, but in fact can be used by a hacker," he said.

Perhaps that's because hacking outdated versions of ColdFusion is child's play. Earlier this year, for example, a module was published for the open source vulnerability framework Metasploit that automatically exploits what the module writer described as "a pile of vulnerabilities in ColdFusion APSB13-03," referring to a "hotfix" for ColdFusion 9.x and 10 released by Adobe in January. In particular, the exploit chains together an arbitrary command execution bug (that only works against ColdFusion 9.x), as well as directory traversal and authentication bypass bugs. The result of a successful exploit using this module is admin-level access to the targeted system, giving a would-be attacker backdoor access to the targeted ColdFusion system.

Shteiman placed the blame for those vulnerabilities squarely on Adobe, saying the Metasploit module "uses [an] administrative function that isn't properly hardened within the platform."

At the same time, however, how many of those businesses regularly patch their ColdFusion systems after Adobe released regularly security updates? Besides recommending rapid patching, Shteiman also noted that too many businesses fail to audit their applications, and thus don't know that they should be locking down ColdFusion servers in the first place. "Knowing the platforms that you have -- [and] the platforms that are used by third party companies/solutions that you work with -- is key in understanding your security posture," he said.

For added security, he also recommended using a Web application firewall -- which his company sells -- to add an extra layer of defense that can help identify and block attacks that might otherwise exploit vulnerable servers.

As the three breaches highlighted above show, failing to lock down ColdFusion can have devastating repercussions. For example, the attack against Washington state's Administrative Office of the Courts (AOC) servers, which was disclosed in May, resulted in attackers obtaining copies of up to 160,000 social security numbers and 1 million driver's license numbers.

Washington state officials have admitted that they could only narrow the timeline of the breach down to sometime between September 2012 and February 2013. That's when the state was tipped off to the breach by an east coast business that had likewise been exploited via a ColdFusion vulnerability, and which found signs pointing to the state's AOC servers.

At the Department of Energy, meanwhile, an ongoing investigation into a July 2013 ColdFusion hack has found that records relating to at least 100,000 past and current federal employees, including dependents and contractors -- including their name, social security number, and date of birth -- were stolen by attackers. That count of breach victims may well continue to climb.

Finally, the breach of CorporateCarOneline hasn't been definitely tied to ColdFusion. But security reporter Brian Krebs reported that the business's site did sport a known ColdFusion vulnerability, meaning that would-be attackers had at least one way in. In that case, the breach resulted in the theft of "more than 850,000 credit card numbers, expiry dates and associated names and addresses," reported Krebs. Some 241,000 of those were tied to high-limit or no-limit credit card accounts that would fetch a tidy sum via cybercrime marketplaces.

Identity theft is of course a concern for people whose information was stolen in those three breaches. But in the case of CorporateCarOneline, at least, the hackers behind that breach appear to have employed the stolen data to fashion targeted attacks against some of the limousine and town car service's customers, which included not just numerous high-profile personalities, including basketball player LeBron James, actor Tom Hanks, but also Fortune 500 CEOs and top lawmakers, including House Judiciary Committee Chairman Rep. John Conyers, (D-Mich.).

In the stash of stolen data, notably, Krebs found customer records for Kevin Mandia, the chief executive of information security firm Mandiant, which earlier this year blamed an ongoing series of advanced persistent threat attacks on a China-based gang it dubbed APT1.

Mandia said the attack was disguised as a legitimate communication from an unnamed limo company. "I've been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that's awesome," Mandia said last month, reported Foreign Policy.

But it wasn't until Mandia was invoiced for a day that he hadn't used the service that he suspected that the PDF invoices were fakes. "I forwarded them to our security service, and they said, 'Yup, that's got a [malicious] payload," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...