Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions. It's worth a read to understand what an attacker could do after compromising a Lucee Admin interface to execute arbitrary code and maintain persistence. Admin interfaces gonna admin -- especially in the case of unauthorized admin access -- and monitoring for any changes in extensions, scheduled jobs, and other sensitive configuration settings is an important detection strategy. This is also a good reminder why you want very strict access control for Lucee Admin, or may want to consider disabling it altogether.
Included in the Sprocket Security research was a default Lucee Admin password set on Intranet Connections instances. If you're running an Intranet Connections Lucee instance, ensure that you've change the default Lucee Admin password. Like now. Or yesterday. Or ideally when you first set it up.
For reference - a standard modern Lucee build does not come with a default or hard-coded passwords. As of Lucee 5.3.4.46, the initial admin password has to be imported from the local filesystem, and there are multiple ways to configure this via automated system management. (Earlier versions of Lucee and Railo came with a blank admin password, to be set by the first user who connected to the admin interface. But fortunately that's no longer the case.)
Despite making for EZSetup, hard-coded credentials are the 4Dgifts that keep on giving to would-be system compromisers (iykyk). And while manufacturers and product owners should follow CISA's guidance (and general best practice) to to avoid default passwords, it falls to end-users to change any default credentials in many cases.
And beyond strong passwords and access control, ensure that you're keeping your Lucee instances up-to-date with security updates and other fixes.
No comments:
Post a Comment