CVE-2020-10145 - Adobe ColdFusion
Name of Data Breach/Vulnerability: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs
TAI SOC Advisory Number/ID: TAISOC/1/02/02/2021
Date Issued: 2nd February, 2021
Overview:
Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.
Description:
The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.
Impact:
By placing a specially-crafted DLL file in the ColdFusion installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable ColdFusion software installed. See DLL Search Order Hijacking for more details.
Solution:
Use the Server Auto-Lockdown Installer By default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself.
Mitigation steps will vary based on the version of ColdFusion being used:
-
ColdFusion 2016: Apply the changes outlined in the ColdFusion 2016 Lockdown Guide. ColdFusion 2018: Run the ColdFusion 2018 Auto-Lockdown installer and ensure that it completes without error.
-
ColdFusion 2021: Run the ColdFusion 2021 Auto-Lockdown installer and ensure that it completes without error.
Acknowledgment:
This vulnerability was reported by Will Dormann of the Carnegie Mellon University CERT/CC.
References
- https://helpx.adobe.com/coldfusion/user-guide.html/coldfusion/using/server-lockdown.ug.html
- https://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf
- https://www.adobe.com/support/coldfusion/downloads.html#cf2018ldg
- https://www.adobe.com/support/coldfusion/downloads.html#cf2021ldg
Other Information:
CVE IDs: CVE-2020-10145
NOTE: We have not received information from the vendor