Introduction
Access Control is frequently boring but important. It's one of the core security services defined in the OSI Security Architecture reference model. And it's illustrative of what Erasmus and Franklin (not to mention many doctors, nutritionists, and personal trainers) had to say about preventions versus cures. An attacker can't exploit what he can't access.
Let's pretend you're a jewel thief who wants to steal a bag of jewels locked securely in a bedroom wall safe. Before you can get down to the art and science of safecracking, you need to get access to the safe first. The bedroom and the wall safe are protected areas that any passing jewel thief shouldn't be able to just walk up to and start poking at. Your path to the wall safe would likely have layered security controls -- a locked front door, motion sensors, lasers, CCTV cameras, dogs, bees, dogs with bees in their mouths and when they bark they shoot bees at you, etc. -- that may deter you or at least make your job more difficult.
Looking at CFAdmin
Think of the ColdFusion Administrator (CFAdmin) -- the web-based interface for configuring and managing your ColdFusion environment -- in the same way as that wall safe. You want to protect and restrict access to CFAdmin as part of your security baseline. CFAdmin components are accessible via /CFIDE/ URI paths and expose lots of functionality; most components require authentication (a local username/password, or LDAP as of ColdFusion 2023) to access, although some are accessible without authentication. So proper access control is crucial.
There have been a number of previous vulnerabilities impacting CFAdmin resources, such as CVE-2010-2861 (from APSB10-18), which involved a beautifully-creative exploit chain that combined a path traversal Local File Inclusion bug with a Pass-the-Hash attack leading to an admin authentication bypass and remote code execution. Even without any known vulnerabilities, it's advisable to restrict access to CFAdmin. At a bare minimum it could allow for a brute force attack against the login page, and has the potential to be the small gap and first step that lets attacker more easily bootstrap access via some future vulnerability. But more often, access to CFAdmin is going to expose vulnerable resources -- remote CFC functions, endpoints that leak data, and other weaknesses that can allow an attacker to compromise a system.
ColdFusion includes a built-in Tomcat websever (listening on 8500/TCP by default), but it is uncommon and discouraged to directly expose it the public Internet. (Shodan prove me wrong.) More often, an Apache Tomcat Connecter or similar component is used to link the built-in ColdFusion webserver to an external webserver, such as IIS on Windows or Apache on Unix/Linux. (This will be an Adobe-customized mod_jk for Apache or a customized ISAPI filter for IIS.) So while attacks that require direct access to the built-in ColdFusion webserver may be handy for lateral movement inside an environment, it's less likely that they will be directly exposed to the public Internet.
Adobe includes the wsconfig tool to set up the connectors, and this will configure what URI paths are passed onto the Tomcat worker(s) versus which ones stay local to the external webserver.
So we may wind up with a setup similar to the picture above. Some requests (such as images and other non-CFML content) are processed by only the external webserver, while requests for CFML resources get passed via to the ColdFusion servlets the connector. Note that other configurations are possible, such as load balancer or reverse proxy setups, as well as the possibility of deploying ColdFusion Java servlets on alternate application servers.
With a setup like the one shown above, we can have multiple layers of access control protecting CFAdmin, such as the Connector itself. The uriworkermap.properties Tomcat Connector configuration file (in a location such as to C:\ColdFusionXXXX\config\wsconfig\1\ or /opt/ColdFusionXXXX/config/wsconfig/1/) controls what requests will be handled locally by only IIS and what requests will be routed to the built-in ColdFusion Tomcat server. For example, a uriworkermap.properties like this one:
[...more lines above...]
!/CFIDE* = cfusion
would prevent request URIs beginning with /CFIDE from being passed through the connector.
With this configuration, a URL such as https://some.cf-site/CFIDE/administrator/index.cfm would return 404 since it would not get passed via the Connector and would not be successfully resolved by the external webserver:
Looking at Two Previous CFAdmin Access Control Vulnerabilities
Let's look at two previous CFAdmin access control vulnerabilities, both reported to Adobe by Stephen Fewer of Rapid7 -- CVE-2023-29298 and CVE-2023-38205.
The analysis for both of these vulnerabilities shows an attacker communicating directly with the ColdFusion Tomcat server on port 8500/TCP. While it's possible that this service could be exposed externally or that the attacker is starting from an internal position of privilege, direct access to the ColdFusion Tomcat server will be unlikely for an external attacker. So let's consider these vulnerabilities and corresponding exploits in the context of a more common connector setup.
CVE-2023-29298 involves adding an extra slash in a /CFIDE/ request URI, such as:
http://my-cf-server:8500//CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo
While this will work with direct ColdFusion server access, it should not work against an external webserver/connector setup because the external webserver (and possibility other web components) should remove the extra slash when it cleans up and normalizes the request URI.
CVE-2023-38205 involves prefixing the "CFIDE" path with .. (two leading dots) - such as -
http://my-cf-server:8500/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo
Additional Techniques for CFAdmin Access Control Bypasses
- URL-encoding and other alternate encoding formats of URI paths
- Case variations in URI paths
- Adding /./ in URI paths
- Adding a \ (backslash) as a prefix or suffix in URI path segments (e.g., /\CFIDE/the/rest/of/the/path/)
The Impact - Going from Boring to Critical
How to Remediate and Other Defensive Recommendations
- Install the latest ColdFusion security patches after appropriate testing. You should not expose EOL ColdFusion versions to the Internet.
- In addition to installing ColdFusion security updates, you may need to manually re-create your Connectors. The connectors released with ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11 contain important security updates to protect access to CFAdmin. Those updated Connectors will block all of the "CFIDE" bypass techniques listed above.
- Use WAF rules, URL filters, webserver access control, and other capabilities to restrict access to any URI paths that contain CFIDE. These rules should perform URI normalization and handle things such as case-insensitivity, URL-encoded values, and other common path obfuscation techniques.
- Run the ColdFusion Auto-Lockdown tool or manually configure the recommendations in the ColdFusion Lockdown Guide.
- Add specific trusted IP addresses to Security → Allowed IP Addresses in CFAdmin
- Enable the Server Settings → Disable access to internal ColdFusion Java components setting in CFAdmin (this that this should be tested, as some third-party software may require it).
- Block remote/untrusted HTTP/HTTPS access to .cfc files and avoid using remote methods in ColdFusion Components if possible.
No comments:
Post a Comment