Adobe Fixes ColdFusion Zero-Day - AgainRework of Previous Update Available for ColdFusion Versions 2023, 2021 and 2018
Adobe released a fresh out-of-band security update to patch an improperly fixed ColdFusion zero-day vulnerability being actively exploited in the wild that allows attackers to bypass security controls. The update includes fixes for two other critical vulnerabilities.
The critical zero-day, tracked as CVE-2023-38205, with a CVSS score of 7.5, is an instance of improper access control that results in a security bypass. "Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," Adobe's security bulletin says.
The zero-day affects the following versions:
- ColdFusion 2023 - Update 2 and earlier versions
- ColdFusion 2021 - Update 8 and earlier versions
- ColdFusion 2018 - Update 18 and earlier versions
The Incomplete Fix
CVE-2023-38205 is a patch bypass for the incomplete fix for CVE-2023-29298, a ColdFusion authentication bypass discovered on July 11 by Rapid7 researcher Stephen Fewer.
Attackers used an exploit chain that capitalized on CVE-2023-29298 in the first part of the exploit and then used CVE-2023-29300/CVE-2023-38203 vulnerabilities to drop and run web shells on vulnerable ColdFusion servers to gain remote access to devices (see: Security Alert: Exploit Chain Actively Hits ColdFusion).
Adobe released an emergency patch to fix this vulnerability, but Rapid7 researchers determined on Monday that the fix is incomplete and said in its security blog that a trivially modified exploit still works against the latest version.
Rapid7 on Wednesday tested the latest patch bypass for CVE-2023-29298 and "has confirmed that the new patch works."
The security update addressed two other flaws including a critical deserialization vulnerability CVE-2023-38204, which has a CVSS score of 9.8 and could lead to remote code execution, and a second improper access control bug tracked as CVE-2023-38206, which could also lead to a security bypass but is not known to have been exploited in the wild. It is a moderate-severity bug with an average CVSS score of 5.3.