Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications. Some versions of SecureSphere WAF are affected by a vulnerability that could allow an attacker to bypass WAF rules that inspect POST data and subsequently exploit flaws in protected web applications that would otherwise be blocked.
Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT: https://jeva.cc/2973.html
It's a great finding with an interesting two-step exploit process that combines obtaining a server UUID value from a CFAdmin API endpoint and then using that UUID to access a PMSGenericServlet module (part of the Performance Monitoring Toolset) that can be abused to read local files.
Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions. It's worth a read to understand what an attacker could do after compromising a Lucee Admin interface to execute arbitrary code and maintain persistence. Admin interfaces gonna admin -- especially in the case of unauthorized admin access -- and monitoring for any changes in extensions, scheduled jobs, and other sensitive configuration settings is an important detection strategy. This is also a good reminder why you want very strict access control for Lucee Admin, or may want to consider disabling it altogether.
Next Tuesday is Adobe Patch Tuesday. Will there be new ColdFusion security updates? I have no idea. But even if there are no new patches released, and your ColdFusion servers already have the latest updates installed, you may still be missing an important step in keeping them secure.
I recently saw a ColdFusion question about verifyClient and remote CFC functions. I already have strong opinions about why you don't want to use remote CFC functions, but I was unfamiliar with verifyClient. That led me to take a look at how it works and I thought it was interesting enough to write about.
Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS). Their blog post is a must-read, and I'm not going to rehash their steps from research to discovery to exploitation. Instead, I'm going to look at these vulnerabilities through a defensive lens.
Christmas came early this year in Potrero Hill and it was sad news for craft beer drinkers. Anchor Brewing released their 47th (and likely final) Christmas Ale in July, with a California-only distribution, as a result of their brewery shutdown announced in the same month. Anchor's beers have been a perennial favorite of mine -- especially Liberty Ale and the ever-changing Our Very Special Ale to kick off the Christmas season each year. Some years were hits, some were misses, but I always looked forward to trying each year's release. It's sad to see the end of Anchor Brewing and I'm happy to have a dwindling few bottles stored in my garage.
Adobe ColdFusion is vulnerable to a Mass Assignment vulnerability that can result in an attacker being able to modify the value of any variable in any scope within the context of remote CFC methods. A mass assignment vulnerability occurs when application code allows a user to set or modify arbitrary objects or values without verifying that the user is authorized to do so. Modifying values related to authorization checks, security controls, or other important functions may permit a malicious user to access sensitive data or perform other unexpected actions. Mass assignment vulnerabilities are not unique to ColdFusion and have affected other languages including ASP.NET, PHP, and Ruby on Rails.