An Initial Analysis of Adobe ColdFusion CVE-2024-53961

A ColdFusion security patch released two days before Christmas?  I have a feeling that may have resulted in many sysadmins shouting "Fiddlesticks!" (or perhaps another f-word) earlier today.  And on that note, may I suggest this perfect album for a little holiday cheer after the servers have been patched, the wine has been mulled, and the goose has been roasted to perfection:

Ghosts of Vulnerabilities Past?

Adobe released APSB24-107 today, which addresses one vulnerability in ColdFusion tracked as CVE-2024-53961 and described as a path traversal that could lead to file retrieval.  Based on a quick review of the corresponding patches, it appears to be a security enhancement that improves protection (and possibly remediates bypasses) against the attack vectors first addressed in APSB24-14 / CVE-2024-20767 back in March.  

APSB24-14 originally listed ColdFusion 2023 Update 7 and ColdFusion 2021 Update 13 as the required patches, and has since been updated directing users to ColdFusion 2023 Update 12 and ColdFusion 2021 Update 18 as the fixed versions.  CVE-2024-20767 was added the the CISA Known Exploited Vulnerabilities Catalog last week, so that could be a reason for today's enhancement.  I previously wrote about defending against CVE-2024-20767, and stand by those recommendations as good things to do.  I suspect that they'd also protect against CVE-2024-53961, but feel free to leave a comment if you believe otherwise or have anything else to share.

Looking at the New Patches

The original patches from APSB24-14 (ColdFusion 2023 Update 7 and ColdFusion 2021 Update 13) broke the exploit chain for CVE-2024-20767 by removing some residual files for Server Management and Server Monitoring -- specifically the {cf-root}/cfusion/wwwroot/CFIDE/adminapi/_servermanager/ directory and {cf-root}/cfusion/wwwroot/CFIDE/adminapi/servermonitoring.cfc.  The /_servermanager/ directory contained various CFCs with remote methods, including one that could be used to obtain the Performance Monitoring UUID.  That UUID could then be used to access and exploit a vulnerability in PMSGenericServlet, leading to file retrieval.  It's also worth noting that ColdFusion 2023 Update 7 and ColdFusion 2021 Update 13 did not make any changes to the PMSGenericServlet classes, so the underlying vulnerable code was still there -- it just was no longer possible to retrieve the necessary UUID value.

Let's look at a few changes in the new code from ColdFusion 2023 Update 12 and ColdFusion 2021 Update 18:

As shown in the diff above, the latest version of coldfusion.monitor.module.MonitoringServiceUtilsImpl.class will now reset the PMS UUID after the update, and provides the ability to generate a new UUID upon every ColdFusion restart.  Since the UUID was previously a static value and the vulnerable code remained in PMSGenericServlet, it's possible that an attacker who already knew the UUID could maintain persistence and continue to exploit CVE-2024-20767 even after ColdFusion 2023 Update 7 or ColdFusion 2021 Update 13 were installed.

Looking at selected portions of the diff of coldfusion.monitor.PMSGenericServlet.class above shows a few more security enhancements:

• the logging module, which was leveraged in the CVE-2024-20767 attack chain for local file retrieval, has been entirely removed
• multiple URL parameter values passed to PMT modules are now checked against a strict alphanumeric regex, which will also break known attack patterns from CVE-2024-20767

I don't know if there are further enhancements in the new patches in APSB24-107, or if there are new exploitation variants and other bypasses for CVE-2024-20767.  It's possible this is just some necessary security cleanup for the rough edges described above.  It's also possible there were other factors that prevented ColdFusion 2023 Update 7 and ColdFusion 2021 Update 13 from being fully effective.

Wrapping It Up

Adobe's Tech Notes for the latest patches have a lot of good information in the FAQs, and anyone running an affected version of ColdFusion should review them and install the required updates as appropriate.  To that I'll also add the same recommendations from when I originally wrote about CVE-2024-20767:

• Ensure that strict access control is enforced for normalized, case-insensitive /CFIDE paths.  Running the latest ColdFusion Connector is a great way to do this, and this can also be done or supplemented with access control rules at the webserver, CDN edge, or WAF.
• Add specific trusted IP addresses to Security → Allowed IP Addresses in CFAdmin
• Ensure that the PMSGenericServlet is inaccessible via /pms URI paths from external and untrusted sources.
• Consider blocking remote HTTP/HTTPS access to .cfc files.  Note that this will make all remote CFC methods inaccessible.  But given the attack surface of the ColdFusion framework code that handles remote CFC methods and the history of exploits that require access to a specific or any remote CFC method, you want to do this.
• Identify and fix any XML eXternal Entities (XXE) and Server Side Request Forgery (SSRF) vulnerabilities in your applications that could be used to access internal resources such as the CFAdmin API and the PMSGenericServlet.