Name of Data Breach/Vulnerability: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs

TAI SOC Advisory Number/ID: TAISOC/1/02/02/2021

Date Issued: 2nd February, 2021

Overview:

Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.

Description:

The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.

Impact:

By placing a specially-crafted DLL file in the ColdFusion installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable ColdFusion software installed. See DLL Search Order Hijacking for more details.

Solution:

Use the Server Auto-Lockdown Installer By default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself.

Mitigation steps will vary based on the version of ColdFusion being used:

Acknowledgment:

This vulnerability was reported by Will Dormann of the Carnegie Mellon University CERT/CC.

References

Other Information:

CVE IDs: CVE-2020-10145

NOTE: We have not received information from the vendor