Patch Tuesday August 2023 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
Protect your systems from potential cyber threats and ensure the smooth functioning of your endpoints. For even more information, watch the recorded August 2023 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- .NET and Visual Studio Denial of Service Vulnerability (CVE-2023-38180)
- Microsoft Outlook Remote Code Execution Vulnerability (CVE-2023-36895)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2023-21709)
- Microsoft Teams Remote Code Execution Vulnerability (CVE-2023-29328 and CVE-2023-29330)
- Microsoft Message Queuing Remote Code Execution Vulnerabilities (CVE-2023-36911, CVE-2023-36910, and CVE-2023-35385)
- Third-party application vulnerabilities:
Microsoft Vulnerabilities
Welcome to the August Patch Tuesday release.
This month’s release addresses 74 vulnerabilities from Microsoft, a significant decrease compared to the previous month’s figure. Among them, only six are classified as critical, marking a decline from the previous month. Additionally, this month’s update includes the fixing of one zero-day vulnerability, which is lower in number compared to last month, and two advisories for two zero-day vulnerabilities. Now, let’s delve into the details of the most noteworthy critical updates.
.NET and Visual Studio Denial of Service Vulnerability
This single zero-day vulnerability (CVE-2023-38180) impacts .NET and Visual Studio. It utilizes a network attack vector, has a low complexity of attack, and doesn’t necessitate privileges or user interaction. Its CVSS rating is 7.5, which isn’t categorized as high due to its sole ability to result in a denial of service. It affects Microsoft Visual Studio 2022, .NET 7.0, .NET 6.0, and ASP.NET Core 2.1.
Microsoft has confirmed that this attack is currently being exploited in real-world scenarios. Such a Denial of Service (DoS) attack of this nature can lead to a system crash.
Microsoft Outlook Remote Code Execution Vulnerability
Microsoft Outlook is facing a critical vulnerability, identified as CVE-2023-36895. This flaw allows for remote code execution, meaning attackers could take control of a user’s computer by exploiting it. The attack vector is local, and while it has a low complexity, it does not require any privileges. However, the user needs to download and open a specially crafted file from a website to trigger the attack.
The severity of this vulnerability is rated at 7.8 on the Common Vulnerability Scoring System (CVSS), which is quite high. The rating is not 10 because it requires user interaction and has a local attack vector. It’s important to note that all versions of Microsoft Office since 2013 are affected by this vulnerability.
As of now, the security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 is not immediately available. However, the updates are expected to be released as soon as possible.
It’s worth mentioning that the likelihood of the attack being exploited is low, which is a positive development in terms of security.
This type of exploit is often referred to as Arbitrary Code Execution (ACE). It entails malicious software running on the victim’s computer, granting the attacker the ability to execute harmful code and gain control of the system. This vulnerability may be employed in conjunction with other malware in phishing campaigns, making it a serious concern for users of Microsoft Outlook.
Microsoft Exchange Server Elevation of Privilege Vulnerability
A critical vulnerability has been discovered in Microsoft Exchange Server, identified as CVE-2023-21709. This flaw allows for elevation of privilege and poses a serious security risk. The attack vector is through the network, and while the attack complexity is low, it does not require any privileges or user interaction.
The severity of this vulnerability is rated at 9.8 on the Common Vulnerability Scoring System (CVSS), making it critical. However, it is not classified as remote code execution (RCE) because it involves a brute force attack. Strong passwords are less likely to be compromised in this manner.
To automatically apply the CVE solution to your servers, run the CVE-2023-21709.ps1 script. The script and related documentation can be found at this link.
Alternatively, you can manually apply the CVE resolution to each server by running the following command from an elevated PowerShell window:
Clear-WebConfiguration -Filter “/system.webServer/globalModules/add[@name=’TokenCacheModule’]” -PSPath “IIS:\”
To manually rollback the CVE fix on each server, run:
New-WebGlobalModule -Name “TokenCacheModule” -Image “%windir%\System32\inetsrv\cachtokn.dll”
To address this issue, Microsoft provides a security update, and in addition to applying the updates, users must also run a script. The CVE-2023-21709.ps1 script and related documentation can be found at the provided link. Alternatively, users can manually apply the CVE resolution to each server using specific PowerShell commands.
While the likelihood of exploitation is low, it is crucial to take proactive measures by installing the patch, running the script, and strengthening password policies to ensure the security of Microsoft Exchange Server.
Microsoft Teams Remote Code Execution Vulnerability
Microsoft Teams is affected by two critical vulnerabilities, namely CVE-2023-29328 and CVE-2023-29330. Both vulnerabilities have a local attack vector, meaning they can be exploited by an attacker who has direct access to the target device. The attack complexity is relatively low, and no elevated privileges are required. However, for the exploit to take place, the user must unknowingly join a malicious Microsoft Teams meeting organized by the attacker.
The CVSS rating for these vulnerabilities is 8.8, which is significantly high, but it falls short of the maximum score of 10 because it requires user interaction and has a local attack vector. The impact of these vulnerabilities can be severe, allowing attackers to execute arbitrary code remotely within the context of the victim’s user.
To exploit the vulnerabilities, the attacker must persuade the victim to participate in a Teams meeting. These critical vulnerabilities in Microsoft Teams could potentially be utilized in phishing campaigns, often in combination with other malware to amplify their impact. Attackers may leverage these flaws to trick users into joining malicious Teams meetings, leading to remote code execution on victims’ devices.
Microsoft has acknowledged these vulnerabilities and reported that the likelihood of exploitation is low. However, users and organizations should take precautionary measures to prevent falling victim to such attacks. Ensuring the latest security updates are applied and educating users about potential risks can help safeguard against these critical vulnerabilities in Microsoft Teams.
Microsoft Message Queuing Remote Code Execution Vulnerabilities
Three critical vulnerabilities (CVE-2023-36911, CVE-2023-36910, and CVE-2023-35385) have been identified in the Microsoft Message Queuing Service. All three have a network attack vector, low complexity of attack, require no privileges, and do not need user interaction. With a CVSS rating of 9.8, these vulnerabilities are classified as critical. The impact spans all versions of Microsoft Windows Server, starting from Windows Server 2008 and Windows 10. Microsoft has reported that the likelihood of these vulnerabilities being exploited is low.
These vulnerabilities come with certain mitigations. Mitigating factors are settings, common configurations, or general best practices that are inherent by default, capable of diminishing the severity of vulnerability exploitation. The following mitigating factors can be useful:
- The Windows Message Queuing Service, being a component of Windows, must be enabled on a system for it to be susceptible to this vulnerability. This feature can be added through the Control Panel.
- To determine whether a service named ‘Message Queuing’ is operational and listening on TCP port 1801 on your computer, you can perform a check. If the service is not required for regular operations, disabling it will ensure your immunity to this vulnerability.
Exploitation of these vulnerabilities could potentially lead to remote code execution on the targeted system.
Azure
Tenable executives have strongly criticized Microsoft, accusing the company of displaying extreme irresponsibility and blatant incompetence in handling security flaws in its Azure cloud platform. The criticism comes in response to a vulnerability discovered by Tenable researchers within the Azure platform, which permits unauthorized attackers to gain access to cross-tenant applications and obtain sensitive customer data.
The vulnerability arises from inadequate access control measures in Azure Function hosts, which are utilized during the creation and operation of custom connectors in Microsoft’s Power Platform (Power Apps, Power Automation).
Specific connectors designed for the Power Platform utilize custom C# code to establish connections and interact with other services. This C# code is deployed as part of an Azure Function with an HTTP trigger, and it is Microsoft, not the customers, who manage the deployment and operation of this function.
Upon reporting the issue to Microsoft, a partial fix was eventually provided after three months, but it was criticized for being ineffective or merely superficial. Moreover, the fix only applied to new applications on the Azure platform, leaving all previous customers exposed to the vulnerability. Microsoft further promised to address the problem, but the timeline for the complete fix extended beyond the generally accepted 90-day disclosure period, despite the critical nature of the issue. Perhaps most concerning is the fact that Microsoft chose not to inform its customers about the problem and the associated risks. Understandably, Tenable is outraged, especially considering this is the second time such an incident has occurred with Microsoft, following a similar announcement in June of the previous year. Additionally, a week ago, U.S. senators launched an investigation into Microsoft’s serious and repeated security breaches.
Just before the official bulletin was set to be released, Microsoft suddenly released a full patch for the vulnerability, applying it to all Azure applications and clients. Tenable also published a detailed report on the vulnerability, along with a Proof of Concept (PoC).
Google Chrome
Google has announced the release of Chrome 115 update, which addresses a total of 17 security vulnerabilities in the browser. Among the fixed issues are three serious type confusion bugs discovered in the V8 JavaScript and WebAssembly engine.
Two of these V8 issues (CVE-2023-4068 and CVE-2023-4070) were reported by a researcher named Jerry, while another bug in WebAssembly (CVE-2023-4069) was reported by Man Yue Mo of GitHub Security Lab.
In addition to the V8 and WebAssembly bugs, the update resolves six other serious vulnerabilities. The most severe of these is CVE-2023-4071, which involves a heap buffer overflow bug in Visuals. The update also addresses an out-of-memory read and write issue in WebGL (CVE-2023-4072) and an out-of-abstraction-level memory access vulnerability in the ANGLE graphics engine (CVE-2023-4073).
Furthermore, the update addresses three high-severity vulnerabilities reported externally, which are related to use-after-free issues in Blink, Cast, and WebRTC task scheduling.
Apart from the serious vulnerabilities, the latest Chrome version also fixes two moderate vulnerabilities related to extensions. Users can access the update as version 115.0.5790.170 for Mac and Linux and 115.0.5790.170/.171 for Windows.
Mozilla Firefox
Mozilla has released several updates to address security issues in its Firefox web browser versions. Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14 include patches for a total of 14 Common Vulnerabilities and Exposures (CVEs). Among these, 9 are classified as high severity, some of which have the potential to lead to Remote Code Execution (RCE) or sandboxing bypass.
The first high severity vulnerability, CVE-2023-4045, allows for bypassing restrictions between sources in the offscreen canvas. The second, CVE-2023-4046, involves the use of an invalid value during WebAssembly (WASM) compilation, leading to improper compilation and a potentially dangerous content process crash.
Another addressed vulnerability is CVE-2023-4047, which is a clickjacking permission request bypass. This flaw enables an attacker to deceive a user into clicking on an item, but the input is registered as a click in a hidden security dialog box, potentially granting unauthorized access (e.g., location access, sending notifications, activating the microphone, etc.).
The update also handles three other high severity vulnerabilities:
1. CVE-2023-4048: An out-of-bounds reading issue causing DOMParser to crash when deconstructing a generated HTML file.
2. CVE-2023-4049: A use-after-free vulnerability that could potentially be exploited.
3. CVE-2023-4050: A stack buffer overflow in StorageManager leading to sandboxing.
Lastly, three memory security bugs that could potentially lead to Remote Code Execution are tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058.
Ivanti
The Norwegian government has recently fallen victim to a 0-day attack targeting Ivanti, a prominent U.S.-based enterprise mobile device management software company. This cyberattack had significant consequences, impacting at least 13 ministries and government agencies in Norway. The country’s Office of Homeland Security confirmed the incident and revealed that the attack exploited a critical vulnerability known as CVE-2023-35078, affecting Ivanti’s Endpoint Manager Mobile (EPMM), previously known as MobileIron Core.
CVE-2023-35078 represents an unauthenticated API access flaw, which malicious remote attackers leveraged to potentially gain access to users’ personal information and make limited alterations to the server. Moreover, the attackers could carry out other dangerous configuration changes, including creating an EPMM administrator account, which could lead to severe consequences.
The gravity of this authentication bypass vulnerability led Ivanti to rate it as critical, affecting all supported versions, including 11.10, 11.9, 11.8, and earlier releases. Recognizing the urgency of the situation, Ivanti swiftly released an urgent patch and strongly advised customers to install it immediately. The vulnerability’s ease of exploitation raised concerns, particularly considering that over 2,900 systems were found online, with most located in the US and Europe, according to Shodan data.
Subsequently, Ivanti also addressed another vulnerability in its Endpoint Manager Mobile software that was exploited as part of the same zero-day attack in Norway. This new security patch targets CVE-2023-35081, and the company issued a warning emphasizing the critical nature of this bug and the urgent need for customers to update their devices. The discovery of this additional zero-day vulnerability emerged during an ongoing investigation involving researchers at Mnemonic.
Security experts have raised red flags about CVE-2023-35081, as it allows an authenticated administrator to write arbitrary files to an EPMM server. This vulnerability, when combined with CVE-2023-35078, enables attackers to bypass administrator authentication and ACLS restrictions. As a consequence, successful exploitation could ultimately empower an attacker to execute OS commands on the targeted devices, operating on behalf of Tomcat.
As of now, CVE-2023-35078 is known to affect the same limited number of customers as CVE-2023-35081. Despite the current exploitation being limited in scope, there are growing concerns that further attacks may increase given the large number of potentially vulnerable systems and the availability of Proof of Concepts (PoCs) for CVE-2023-35078.
Later on, Rapid7 researchers made a concerning discovery, identifying a third critical vulnerability in MobileIron Core, which they promptly reported to Ivanti on July 26. This newly identified vulnerability is labeled as CVE-2023-35082, and it represents an unauthenticated remote API access flaw affecting MobileIron Core version 11.2 and older. Successful exploitation of this vulnerability would grant attackers access to personally identifiable information (PII) of mobile device users and compromise servers through the use of web shells, in conjunction with other vulnerabilities.
Regrettably, Ivanti has communicated that it will not be releasing a patch for CVE-2023-35082. This decision is attributed to the fact that the vulnerability has already been addressed in newer versions of the Endpoint Manager Mobile (EPMM) product. Unfortunately, MobileIron Core version 11.2 has been unsupported since March 15, 2022. Rapid7 has, however, stepped in to provide indicators of compromise (IOCs) to aid in the timely detection of the CVE-2023-35082 attack. They urgently advise all users to update their MobileIron Core software to the latest version to ensure their devices’ security and safeguard against potential cyber threats.
Canon
Japanese manufacturer Canon has issued a warning concerning a significant vulnerability that affects more than 200 models of its inkjet printers. This security issue poses a risk to both home and office printers and could potentially expose Wi-Fi configuration data. The concern arises when these printers are transferred to third parties, such as through sale, repair, or disposal, as sensitive information may be disclosed.
The root cause of the vulnerability lies in the affected printer models’ failure to adequately clear Wi-Fi connection setup information during the initialization process. As a result, this data can be extracted and potentially exploited by unauthorized individuals to gain access to internal networks. The specific information stored in the memory of Canon printers varies based on the model and configuration but typically includes essential details such as the network SSID, password, network type (e.g., WPA3, WEP), assigned IP address, MAC address, and network profile.
Canon has identified over 200 printer models affected by this vulnerability, including approximately 60 large-format inkjet printers commonly used in enterprise settings. To address this issue, the company recommends taking specific steps to protect printer security. Users are advised to perform a full reset of all settings, followed by enabling the wireless LAN and then resetting all settings once again. For printer models lacking the full reset feature, users should reset the LAN settings, activate the wireless LAN, and then reset those settings once more.
As of now, it remains unclear whether Canon will release a specific fix to address this vulnerability. Given the seriousness of the issue, a proactive approach to security is recommended. One potential measure includes isolating printers on the network from more valuable assets, which can serve as an additional security solution to mitigate the risk.
Ubuntu Linux
Two critical vulnerabilities have been uncovered in one of the most widely used Linux distributions, namely Ubuntu, affecting approximately 40% of its massive user base, estimated at 40 million users.
The first vulnerability, identified as CVE-2023-32629, resides in the Ubuntu kernel and has been classified as high severity. It stems from insufficient permission checking, allowing a local attacker with limited privileges to escalate their privileges to gain elevated access.
The second vulnerability, known as CVE-2023-2640, is related to the memory management subsystem in the Linux kernel. This flaw is attributed to a race condition in VMA (Virtual Memory Area) accesses, which can result in out-of-bounds use. Consequently, a local attacker could exploit this flaw to execute arbitrary code on the affected system.
Both vulnerabilities were brought to light through the discovery of inconsistencies in the implementation of the OverlayFS module within the Linux kernel. OverlayFS is a federated mount file system implementation known to be targeted by attackers due to its capacity to grant unprivileged access through user namespaces and its susceptibility to easily exploitable bugs.
To address these critical security concerns, Ubuntu has promptly issued a security advisory, covering not only the identified vulnerabilities but also six other vulnerabilities resolved in the most recent version of the kernel. Users are urged to apply the provided updates to ensure their systems are protected. However, it’s worth noting that a reboot will be necessary after installing the updates to fully mitigate the risk.
AMD
Google researcher Tavis Ormandy has recently uncovered a new vulnerability named Zenbleed, which affects AMD Zen2 processors. This flaw poses a significant security risk as it allows attackers to potentially steal sensitive data, including passwords and encryption keys, at a rate of 30 KB/s from each processor core.
The vulnerability, identified as CVE-2023-20593, was discovered in Zen2 processors through phasing and is linked to improper handling of the vzeroupper instruction during speculative execution. Notably, the optimized exploit for Zenbleed enables attackers to extract sensitive data from any operating system, even those running in virtual machines, isolated sandboxes, containers, and other isolated environments.
Tavis Ormandy responsibly disclosed the vulnerability to AMD on May 15, 2023. After AMD released updates to address CVE-2023-20593, the researcher shared technical details and a Proof of Concept (PoC) specifically tailored for Linux.
Zenbleed is a critical concern for all AMD processors based on the Zen 2 architecture. This includes various models such as Ryzen 3000 (Matisse), Ryzen 4000U/H (Renoir), Ryzen 5000U (Lucienne), Ryzen 7020, ThreadRipper 3000, and Epyc servers (Rome).
To mitigate Zenbleed, it is recommended to update the AMD microcode or await a BIOS update from the respective manufacturer. Alternatively, the researcher provided a workaround to alleviate the issue, but cautioned that applying it may lead to a drop in CPU performance.
One concerning aspect of Zenbleed is that detecting its exploitation can be challenging since vzeroupper does not require elevated privileges or special system calls. As a result, the vulnerability could be exploited by malware deployed on the target device. However, the impact on regular users is relatively limited, as exploitation necessitates local access to the target system and a high degree of attacker specialization.
Nonetheless, it is crucial for system administrators and users to stay vigilant and keep their systems up to date with the latest security patches. Updating the BIOS in a timely manner is a vital measure to protect against potential vulnerabilities like Zenbleed and maintain the overall security of the system.
MikroTik
A critical privilege escalation vulnerability has been identified, posing a significant risk to more than 900,000 MikroTik RouterOS routers. This flaw enables a stealthy attacker to gain complete control over the device, potentially compromising its security.
Designated as CVE-2023-30799, the vulnerability allows remote attackers with an existing administrator account to escalate their privileges to super-admin through either the Winbox or HTTP interface. By attaining superadmin status, the attacker gains full access to the RouterOS operating system. However, mass exploitation may not be straightforward due to the requirement of obtaining admin credentials. Unfortunately, this is not difficult, as MikroTik RouterOS lacks brute force protection and often uses default admin credentials.
CVE-2023-30799 was initially disclosed without an identifier in June 2022. The vendor subsequently released updates to RouterOS v6.49.7 and v6.49.8 (long-term century) in October of the same year. However, the update for v6.49.8 became available only after VulnCheck shared new exploits targeting MikroTik, based on the FOISted RouterOS exploit from Margin Research.
VulnCheck’s new exploit effectively bypasses the need to expose the FTP interface and remains unaffected by bindshell blocking or filtering, utilizing the RouterOS web interface to download files. By employing ROP transformations and the dlopen call, the exploit achieves wide applicability across various OS versions.
Shodan data reveals that more than 474,000 devices are vulnerable, with around 926,000 at risk if the vulnerability is exploited via Winbox. Consequently, the VulnCheck researchers have chosen not to publish the Proof of Concept (PoC), considering the ease of exploitation and the high risk of real attacks. MikroTik devices have been frequent targets, inadvertently contributing to the formation of formidable DDoS botnets, such as the notorious Mēris botnet.
Urgent action is necessary to address this vulnerability. Users are strongly advised to apply the latest RouterOS update promptly. As the number of attempted attacks is expected to rise in the near future, immediate mitigation steps include removing administrative interfaces from the Internet, restricting login IP addresses to an authorized list, and disabling Winbox in favor of SSH. These measures are essential to safeguard MikroTik routers from potential exploitation and protect their overall security.
Atlassian Confluence
Atlassian, the software company, has recently addressed critical Remote Code Execution (RCE) vulnerabilities in its products. The vulnerabilities affect Confluence Data Center, Confluence Server, and Bamboo Data Center.
The most severe vulnerability is tracked as CVE-2023-22508, with a CVSS rating of 8.5. This flaw has been present in Confluence since version 7.4.0. The other vulnerability, identified as CVE-2023-22505, with a CVSS rating of 8.0, has been present since version 8.0.0 of Confluence. Both vulnerabilities could potentially allow attackers to execute arbitrary code, leading to the compromise of confidentiality, integrity, and availability of the affected systems. Importantly, exploitation of these vulnerabilities does not require user interaction, but the attacker must authenticate as a valid user.
To mitigate these risks, Atlassian has released fixes for these vulnerabilities in Confluence versions 8.3.2 and 8.4.0. Customers who are unable to upgrade to these specific versions are advised to upgrade to at least Confluence version 8.2.0, as this release includes the fix for CVE-2023-22508.
Furthermore, Atlassian has addressed another serious RCE vulnerability, CVE-2023-22506, affecting Bamboo Data Center. This vulnerability was present in Bamboo version 8.0.0 and has been fixed in versions 9.2.3 and 9.3.1 of the enterprise solution.
While Atlassian has not reported any known exploitation of these vulnerabilities in the wild, it is crucial for users and administrators to apply the available patches as soon as possible. Failure to address these issues could lead to a potential system takeover, resulting in severe consequences for the affected systems and data.
Apple
Apple has taken swift action to address a new 0-day vulnerability that has been exploited in Advanced Persistent Threat (APT) attacks. The vulnerability, discovered in the iOS and macOS kernel by Kaspersky Lab researchers during the Operation Triangulation investigation, poses a serious risk to iOS, iPadOS, and macOS devices.
The kernel vulnerability, identified as CVE-2023-38606, has already been actively exploited in attacks against devices running versions prior to iOS 15.7.1. Apple has released security updates for iOS, macOS, and iPadOS platforms to address this critical issue.
According to Kaspersky’s Global Research and Analysis Team (GReAT) researchers, CVE-2023-38606 was part of a zero-click exploit chain that was utilized to deploy Triangulation spyware on iPhones via iMessage exploits. A previous WebKit vulnerability, tracked as CVE-2023-37450, which had been exploited earlier, was patched in a Rapid Security Response (RSR). The attackers could leverage these vulnerabilities on unprotected devices to manipulate crucial kernel states. To mitigate these risks, Apple has improved checks and state management in its updates.
The recent security updates from Apple address at least 25 documented security bugs on iPhones and iPads, including several issues that could potentially expose mobile devices to Remote Code Execution (RCE) attacks. Among the vulnerabilities fixed is CVE-2023-32409 in tvOS 16.6 and watchOS 9.6.
Apple has also addressed security issues in the Safari browser with Safari 16.6, and has provided updates for older versions of the iPhone and iPad (iOS 15.7.8 and iPadOS 15.7.8), as well as macOS Ventura 13.5.
In total, since the beginning of the year, Apple has patched 11 0-day vulnerabilities that attackers have exploited to compromise iOS, macOS, and iPadOS devices.
Adobe ColdFusion
A series of critical vulnerabilities in ColdFusion, an Adobe product, are actively being exploited by attackers to install web shells on vulnerable servers. Rapid7 researchers have identified a wave of attacks that exploit two critical vulnerabilities, namely CVE-2023-29298 and CVE-2023-38203.
On July 11, Adobe reported an authentication bypass bug (CVE-2023-29298) in ColdFusion, discovered by Rapid7, and an RCE bug (CVE-2023-29300) discovered by CrowdStrike. The latter vulnerability, with a severity rating of 9.8, allows unauthorized visitors to remotely execute commands on vulnerable servers, bypassing low-complexity authentication attacks. At that time, the vulnerability had not yet been exploited.
The insecure deserialization vulnerability, CVE-2023-29300, affects the WDDX library and results from an insecure use of the Java Reflection API, allowing certain methods to be called. Adobe could not fully fix this bug in WDDX due to the risk of breaking dependent functionalities. Instead, they implemented a disallowed list of paths to Java classes that cannot be deserialized.
On July 14, Adobe released an unscheduled security update for CVE-2023-38203, which Rapid7 believes can be used to circumvent CVE-2023-29300. Researchers have discovered a chain of gadgets that can be exploited for Remote Code Execution (RCE). The update further updates the disallowed list, preventing gadget access via com.sun.rowset.JdbcRowSetImpl, which was used in the Project Discovery PoC exploit.
While this vulnerability appears to be patched, Rapid7 found that the fix for CVE-2023-29298 can still be bypassed, indicating the need for another patch from Adobe in the near future.
To increase security and protect against attacks, Adobe has recommended administrators to lock down ColdFusion installations. However, researchers from Project Discovery have warned that CVE-2023-29300 (and possibly CVE-2023-38203) can be combined with CVE-2023-29298 to bypass lockdown mode. Exploiting the vulnerability usually requires access to a valid CFC endpoint. However, if access to CFC endpoints prior to default authentication is not possible due to ColdFusion’s lockdown mode, this vulnerability can still be combined with CVE-2023-29298, enabling remote code execution on a vulnerable ColdFusion instance even in lockdown mode.
As expected, Rapid7 has observed attacks leveraging CVE-2023-29298 and a similar exploit to the one reported by Project Discovery shortly after the technical review was published. Attackers utilize these exploits to bypass security, install web shells on vulnerable servers, and gain remote access.
Currently, there is no full patch available to address CVE-2023-29298. The exploit chain requires a second vulnerability like CVE-2023-38203. Thus, installing the latest version of ColdFusion provides defense against this exploit chain.
Subsequently, Adobe released an emergency update for ColdFusion, addressing new critical vulnerabilities, including a fix for a new 0-day vulnerability that has been exploited in real-world attacks. The patch covers three vulnerabilities: critical RCE CVE-2023-38204, critical CVE-2023-38205 Denial of Access, and similar CVE-2023-38206.
CVE-2023-38204 has not yet been publicly disclosed, while Adobe has observed limited attacks against ColdFusion exploiting CVE-2023-38205.
The patch includes a workaround fix for CVE-2023-29298 (previously discussed ColdFusion authentication bypass). Adobe has confirmed that the CVE-2023-29298 fix is included in APSB23-47 as CVE-2023-38205. As this vulnerability is actively being exploited to gain control of ColdFusion servers, it is strongly advised to apply the update as soon as possible.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.