Adobe ColdFusion vulnerabilities exploited to deliver web shells (CVE-2023-29298, CVE-2023-38203)

Attackers are exploiting two Adobe ColdFusion vulnerabilities (CVE-2023-29298, CVE-2023-38203) to breach servers and install web shells to enable persistent access and allow remote control of the system, according to Rapid7 researchers.

Flaws with incomplete fixes

On July 11, 2023, Adobe released security updates for ColdFusion versions  2023, 2021 and  2018 containing fixes for three vulnerabilities:

• CVE-2023-29298, a critical improper access control flaw that could allow attackers to bypass a security feature (reported by Rapid7’s Stephen Fewer)
• CVE-2023-29300, a deserialization of untrusted data that could be exploited for arbitrary code execution (reported by Crowdstrike’s Nicolas Zilio)
• CVE-2023-29301, another security feature bypass vulnerability (reported by Brian Reilly)

At the time, there was no indication that any of them were being exploited in the wild. That all changed on July 13, when, according to Rapid7’s Caitlin Condon, the company’s managed services teams began observing exploitation of Adobe ColdFusion in multiple customer environments.

“Based on available evidence, threat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability. The behavior our teams are observing appears to be consistent with CVE-2023-38203, which was published and then subsequently taken down by Project Discovery circa July 12,” she explained.

“It’s highly likely that Project Discovery thought they were publishing an n-day exploit for CVE-2023-29300. In actuality, what Project Discovery had detailed was a new zero-day exploit chain that Adobe fixed in an out-of-band update on July 14.

Technically, the patch for CVE-2023-29300 was incomplete: Adobe prohibited the deserialization of Web Distributed Data eXchange data, but used an incomplete denylist of Java class paths – and Project Discovery researchers found an exploitable path.

“The Project Discovery team probably did not realize their discovery was a new zero-day vulnerability and (we assume) took down their blog while Adobe fixed the flaw,” Condon noted.

What can enterprise admins do?

Obviously, attackers have seized and leveraged the published exploit for CVE-2023-38203, concatenated it with an exploit for CVE-2023-29298, and went hunting for unpatched servers.

To make matters worse, Rapid7 discovered on Monday that the fix for CVE-2023-29298 is also incomplete, and that a “trivially modified exploit” still works against the latest version of ColdFusion (the one released on July 14).

“There is currently no mitigation for CVE-2023-29298, but the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability for full execution on target systems. Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing,” Condon concluded, and shared IoCs and details about the attackers’ behavior.

It’s likely that Adobe will ship a complete fix for CVE-2023-29298 in the coming days, so admins are advised to keep an eye out for it and implement it quickly.

UPDATE (July 20, 2023, 03:30 a.m. ET):

“Adobe released a fix for the patch bypass of CVE-2023-29298 on July 19 and assigned it CVE-2023-38205. Rapid7 has confirmed the new patch works,” Condon confirmed on Wednesday.