Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Hackers Exploit Recently Patched ColdFusion Vulnerability


A Chinese APT group has been hacking into web servers by exploiting a vulnerability in Adobe ColdFusion that was patched in September and for which no exploit has been released publicly.

The vulnerability, tracked as CVE-2018-15961, affects ColdFusion 11 Update 14 and earlier, ColdFusion 2016 Update 6 and earlier and the ColdFusion 2018 July 12 release. It allows for unrestricted file uploads that can lead to arbitrary code execution.

Recent Articles By Author

Zero-Day Exploit Published for VM Escape Flaw in VirtualBox Flaws in Self-Encrypting SSDs Compromise Data Encryption Cisco Warns of Actively Exploited DoS Flaw in Security Appliances

Researchers from security firm Volexity detected an attack against a ColdFusion server where the hackers uploaded a web shell known as China Chopper written in JSP. Web shells are backdoors that provide attackers with persistence and the ability to execute commands on servers.

The attack was detected two weeks after Adobe patched the CVE-2018-15961 vulnerability Sept. 11. At the time, there were no public exploits for the flaw or technical details, such as the fact that it’s tied to CKEditor, a WYSIWYG editor packaged with ColdFusion.

“Volexity worked with Adobe to verify the issue being exploited was CVE-2018-15961,” the researchers said in a blog post Nov. 8. “At the time of contact, Adobe was not aware of any active exploitation of this vulnerability in the wild. Volexity provided additional details about the attack and Adobe then quickly escalated the severity of this vulnerability to a Priority 1 issue.”

It might be that attackers reverse engineered Adobe’s patch and wrote their own exploit, which wouldn’t be unusual for an APT group. However, another, more worrying, possibility is that the vulnerability was already known to hackers when Adobe patched it.

Volexity found numerous internet-accessible web servers running ColdFusion that appear to have been compromised since June. The servers belong to organizations from the education sector, as well as state/government, health research, humanitarian aid and more.

“Volexity was not able to confirm that CVE-2018-15961 was the vulnerability abused in these instances,” the researchers said. “However, based on the placement of the files on the affected servers, Volexity believes that a non-APT actor may have identified this vulnerability prior to September 11, 2018.”

ColdFusion is an application development platform that’s popular in enterprise environments, which makes it a highly attractive target for hackers. It also has a long history of remotely exploitable vulnerabilities that have been targeted by nation-state actors and cybercriminals over the years.

“A vigilant patch management process is necessary to protect against threats such as described above with CVE-2018-15961,” the researchers said. “Regardless, Volexity recommends organizations identify any instances of Adobe ColdFusion currently in use, and verify the current version running. It is highly recommended that any vulnerable instances be patched to the latest version immediately.”

Cisco Warns of Hidden Account in Small-Business Switches

Cisco Systems is warning customers that, under certain circumstances, a privileged account might be enabled on networking switches from its Small Business series without administrators being notified.

If the account is active, attackers can log in remotely to the devices and execute commands with full administrator rights. Cisco tracks this issue as CVE-2018-15439 and rates it as critical.

“The default configuration on the devices listed as vulnerable includes a default, privileged user account that is used for the initial login and cannot be removed from the system.” the company said in an advisory . “An administrator may disable this account by configuring other user accounts with access privilege set to level 15.”

The affected switches include: Cisco Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches, 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches.

Cisco has not yet released patched software versions, but the company’s advisory contains instructions on how to determine if a “privilege 15” account is enabled on the device. If such an account is already present, then the device is not vulnerable. If it’s not present, administrators should create one so that the default and insecure account gets automatically disabled.

This is not the first time when Cisco has identified backdoor accounts in its products. These are a legacy from a time when it was common across the hardware industry to leave privileged accounts inside devices for debugging or technical support purposes. Some vendors, including Cisco, have been actively working to remove these accounts in recent years, as they pose a serious security risk.

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles

click here for Latest and Popular articles on Mesothelioma and Asbestos

Latest Images