Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications. Some versions of SecureSphere WAF are affected by a vulnerability that could allow an attacker to bypass WAF rules that inspect POST data and subsequently exploit flaws in protected web applications that would otherwise be blocked.
Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT: https://jeva.cc/2973.html
It's a great finding with an interesting two-step exploit process that combines obtaining a server UUID value from a CFAdmin API endpoint and then using that UUID to access a PMSGenericServlet module (part of the Performance Monitoring Toolset) that can be abused to read local files.
Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions. It's worth a read to understand what an attacker could do after compromising a Lucee Admin interface to execute arbitrary code and maintain persistence. Admin interfaces gonna admin -- especially in the case of unauthorized admin access -- and monitoring for any changes in extensions, scheduled jobs, and other sensitive configuration settings is an important detection strategy. This is also a good reminder why you want very strict access control for Lucee Admin, or may want to consider disabling it altogether.
Next Tuesday is Adobe Patch Tuesday. Will there be new ColdFusion security updates? I have no idea. But even if there are no new patches released, and your ColdFusion servers already have the latest updates installed, you may still be missing an important step in keeping them secure.
I recently saw a ColdFusion question about verifyClient and remote CFC functions. I already have strong opinions about why you don't want to use remote CFC functions, but I was unfamiliar with verifyClient. That led me to take a look at how it works and I thought it was interesting enough to write about.
Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS). Their blog post is a must-read, and I'm not going to rehash their steps from research to discovery to exploitation. Instead, I'm going to look at these vulnerabilities through a defensive lens.