Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)

Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT:  https://jeva.cc/2973.html

It's a great finding with an interesting two-step exploit process that combines obtaining a server UUID value from a CFAdmin API endpoint and then using that UUID to access a PMSGenericServlet module (part of the Performance Monitoring Toolset) that can be abused to read local files.

This vulnerability will require direct access to a ColdFusion Tomcat server (8500/TCP) to be exploitable in many environments, which typically should not be directly exposed to the Internet and untrusted networks.  The PMSGenericServlet module is accessible via /pms URI path (as specified in /WEB-INF/web.xml).  

As far as I know, /pms was never a URI pattern specified to route to ColdFusion in a default Connector configuration (uriworkermap.properties) -- which means that the external webserver will handle and resolve the request.  As a result, an attacker would need to have direct access to a vulnerable ColdFusion Tomcat instance to exploit the vulnerability.  However, if your ColdFusion server is accessible from the Internet and you're not using a Connector, you'll absolutely want to check how /pms URIs are being routed and handled.

If you're unable to patch right away, the following compensating controls may help to limit exploitability:

• Ensure that strict access control is enforced for normalized, case-insensitive /CFIDE paths.  Running the latest ColdFusion Connector is a great way to do this, and this can also be done or supplemented with access control rules at the webserver, CDN edge, or WAF.
• Add specific trusted IP addresses to Security → Allowed IP Addresses in CFAdmin
• Ensure that the PMSGenericServlet is inaccessible via /pms URI paths from external and untrusted sources.
• Consider blocking remote HTTP/HTTPS access to .cfc files.  Note that this will make all remote CFC methods inaccessible.  But given the attack surface of the ColdFusion framework code that handles remote CFC methods and the history of exploits that require access to a specific or any remote CFC method, you want to do this.
• Identify and fix any XML eXternal Entities (XXE) and Server Side Request Forgery (SSRF) vulnerabilities in your applications that could be used to access internal resources such as the CFAdmin API and the PMSGenericServlet.