Cold fusion Security-How to Secure Coldfusion Server

ColdFusion Security :
How to Secure your ColdFusion Server
Presenter: Shambhu Kumar
24th April 2014

Who am I ?
● ColdFusion Developer
– Adobe Certified Expert (9AO-127)
– 2.5 +Years of Experience in ColdFusionTechnology.
● Started my carrer with Mindfire Solutions – Bhubaneswar
– http://www.mindfiresolutions.com/
● Started Blogging
– http://shamcf.blogspot.in/
– http://coldfusionexperts.wordpress.com/
● Active inTwitter and Linkedin
– http://www.linkedin.com/pub/shambhu-kumar/45/229/108
– Follow me @ShamOnTwit
ColdFusion Security: Securing ColdFusion Server

Overview :Topics to be discussed
● Recent Attacks on ColdFusion Server (CVE detail report)
● How ColdFusion Server can be hacked.
● Do HeartBleed attacked ColdFusion.
● How to Protect against Most Attacks (BackdoorVulnerability)
● How to check your ColdFusion server isVulnerable.
● ColdFusion 10/ Splendor(Beta) Server Security Enhancements.
● Tools to check CFVulnerability.
● Where to go from here (Security is never ending topic)
● Stay Informed and be Secure (No one provides 100% security)

CommonVulnerabilities and Exposures (CVE)
ColdFusion : BioData
● Total No of Attacks: 61 (As per CVE Database)
● 2011-12-13 (WorstYears) –Total No of Attacks: 32
Source:CVE Datasource: ColdFusion

Recent Attacks on ColdFusion Server: LastYear
● CVE-2013-0625 (Authentication BypassVulnerability): RDS exploited
– Permit an unauthorized user to remotely circumvent authentication control
Arbitrary executing command using scheduleedit.cfm
● CVE-2013-0629 (Unauthorized access to the restricted directories)
– Permit an unauthorized user access to restricted directories.
● CVE-2013-0631 (Administrative Login Bypass)
– Permit Information disclosure from a compromised server.
● CVE-2013-0632 (Administrative Login Bypass)
– Permit an unauthorized user to remotely circumvent authentication control
● CVE-2013-3336 (Credential Disclosure Exploit - AdminApi Exploited)
● Both CF9/10 was vulnerable

Recent Attacks on ColdFusion Server
● My Project XYZ
● Found on : September 2013
Actual Attack : Jan 2013
Time Span : 9 Months (Attack was Unknown)
● Attack Hits maximum no of CF Server.

What Actually was Happen in my Project
Serious CF SecurityThreat : h.cfm
● Most probably attack was under (CVE-2013/0625-29-31-32/3336).
● Remote File Disclosure of Password Hashes, allowing the attacker to take
control of the affected server remotely through an adminAPI/RDS exploit.
● We have found malicious file name h.cfm under CFIDE directory of our CF
Server.
● According to other customers they have found i.cfm, help.cfm, info.cfm in
their Servers.
● They have traversed to adminapi and added a scheduled job which calls a
schedule task and write the output in h.cfm file.
● Probably they have called h.cfm with GET requests from unknown source
and access DB info, including passwords etc.
● Let's Check how It was possible

Recent Attacks on ColdFusion Server
Krebsonsecurity(Security News) shows Long List of Companies.
● LongTail of Companies recently affected :
– Elightbulbs.com (Paying $6,000 a year to third-party security compliance firm )
– Kichlerlightinglights.com
– Smuckers
– SecurePay Payment Gateway
– Carmaker Citroen
● Media news on 17th
March 2104 : Source - Guardian)
– … n Companies
Source krebsonsecurity
● All attacks comes under Backdoor ColdFusionVulnerabilities attacked.
● Exposing everything onWeb Sever (CC exposed as per news for some
customers)

CFVulnerability allowing to Install IIS Malware
SeriousThreat : DLL Injection using CVE-2013-0625
● Media reported: During Mid of Dec 2013 (Remote Authentication ByPass)
● CF was allowing IIS module to Install DLLin IIS which in result steals data.
● CF vulnerability allowing to create a Web Shell (AWeb shell is a type of
Remote AccessTool (RAT) or backdoorTrojan file) in server which in turns
execute DLL and adds that module in IIS.
● Web Shells can be written in any language. It may contain a single line of
code which upload some file or run some batch files on your server.
● Injected DLL was capturing the post request for specific page example
paymentProcess.cfm (Installer added this page during installing DLL) and
writing CC info in some log file.
● Specifically design DLL was also undetectable by modern Anti-Virus.
● Even SSL can't stop this. As it captures data after SSL
post is decrypted by the server.

Do HeartBleed(CVE-2014-0160) attacked ColdFusion ?
So, Adobe ColdFusion is not Vulnerable to HeartBleed attack (Good News)
ColdFusion does ship a version of OpenSSL that is not vulnerable to the Heartbleed

Hey I am developer -
I am not CF Administrator/IT Admin
● We have to totally eradicate this concept (Security Perspective - Hey I am a
developer I only have a motto to secure my application with writing secure
code using HTMLEditFormat,querparam etc. Securing CF server is a role of
IT admin/client ).
● Yes, Developers have a role in Securing ColdFusion Server (If you missed to
update security patches in time and your client system gets hacked-
developer, organization everyone is responsible for it. )
● Moreover Its our responsibility to let our client know that we have to
update patches due to recent security holes.
● Bring us a change and keep yourself and the client UpTo Date. Even the
code base of Adobe Products gets compromised what happens to our code
base.

Reason of All such attacks ?
● Who is responsible ?
– Developer or ServerAdmin orAdobe ?
– There was an Interesting Podcast hosted by CFHour regarding this. Blame Game!
● Reason of all attacks which we have discussed
– Your CF Admin was accessible Publicly .
– RDS(Remote Development Services) was enabled in Production Server.
– RDS Password was not set.
– RDS was disabled but RDS password was not set.
– CFIDE Directories was accessible ( AdminApi, ComponentUtils are accessible).
– You have not applied recent patches on your Server (ColdFusion Security HotFixes).
● If any of the above points matched with your server, your CF Server is
Vulnerable.

How Many of you know ColdFusion
provides Lockdown Guide ?
What is CF Lockdown Guide ?

How to Lock Down ColdFusion Administrator ?
Limiting CF Admin access to Localhost/specific IP
● Using IIS request Filtering
– Using Access/Deny feature to Lock down all CFIDE paths
● Using IP Address & Domain restrictions
– Deny all URL sequence by default and allow localhost/ specific IP.
● Give Login Credentials to run ColdFusion Application Manager under
services.
● Disable RDS from Production server.
● If we are using any tags like cfchart,cfajaxproxy,cfcalender + (another tags
referenced in Lock down guide) then we must not removed /cfide/scripts
– Solution: create oneVD for scripts and give new path under Default ScriptSrc Directory

Tight your ColdFusion security with one more Level
● Allow only specific File extensions which your application uses.
– Using this we can block malicious request coming from outsiders.
– Do it In IIS Request Filtering (File Name Extensions)
● UseWeb Authentication forWebApplication orWebservices.
– Go to IIS > Authentication > EnableWeb Authentication.
● If possible Run CF administrator with SSL connections.
● Simply removing CFIDE directory /VD is not a full proof solution
– Because It will serve a request from wwwrootcfide because CF looks first in external
web server(IIS/Apache) then in built in webserver(Tomcat/Jrun). So, even if you remove
CFIDE physically it will load request from built in web server If you have not locked it.
● You can also keep a hash value of all your source code directories some
where. So that if your source code also get compromise you can compare
hash value and alarm a message.

Tight your ColdFusion security - Continued
● Enable SandBox Security in your Production Server
– Using Sandbox Security we can disable some tags/function/datasource/file access.
Allowing only those part which are necessary for your application.
– Go to Security > Sandbox Security, Enable Sandbox Security and specify path of your
application directory.
– If we are not using any Scheduler in our website then disable <cfSchedule>, if you are
not going to run any batch files disable <cfExecute>. So, decide which tags/functions
are necessary and which not and take proper decision.
● Allow only Specific IPs to access ColdFusion Administrator
– Go to Security > Allowed IP Addresses and add list of IPs which can access CF admin.
● Disable Servlet Mappings which are unused under web.xml.
● Please check ColdFusion 9/10 Lock down guides for more Info.
https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-
enterprise/pdf/cf10-lockdown-guide.pdf

ColdFusion 10 Security Enhancements
“To Secure ColdFusion Sever”
● Added Secure Profile Option while Installing ColdFusion
– Added a bunch of settings like disabling RDS, Directory browsing, list of IPs to be
allowed to access CF admin etc.
– Check CF 10 Secure web page to know more about all settings
http://www.adobe.com/go/cf_secureprofile
– To install patches in CF 9 is like climbing Mount Everest, CF10 added tab in CF
administrator (Server Update) to see any update/patches available.
You can directly update those with one click.
– If you think that It will solve all your Security Problems then you are wrong.
● Its optional (Why there is a checkbox ? )
● CFIDE directory is not protected, Internal Components are still unsecured.
– Its recommended to use secure Profile in you Production server.

ColdFusion Splendor Security Enhancements
“To Secure ColdFusion Sever:Thumbs Up”
● CF Splendor currently in its beta version
– May be releasing before CF Objective 2014
● Added Secure Profile tab under Security section in CF Admin
– Now you can see list of all security Profile settings and edit as per need.
● Most Important - Now CF allow Internal Components like adminApi,
administrator, servermanager,componentutils,wizards and main to access
with specific IP only.
Security > Allowed IP Addresses (Allowed IP Addresses for ColdFusion
Internal Components)
● Still scripts are under cfide directory, hope by time of Final release they will
relocate it to some other places so that we can lockdown all cfide directory
in Production server.

We understood allVulnerability,Time to act -
● If you are Server is vulnerable or you have not looked at your Server for a
year and matching all the Points. Do this ASAP
– Go and check your CFIDE directories
– Check any unwanted schedulers added in schedule page
– Check http.log and scheduler.log
– Check IIS for any unwanted DLLs.
– Allow CF admin access to MF IP and localhost
– Add Request Filtering to stop any CFIDE vulnerability in future.
– Use Secure Profile(CF 10) in Production and keep your server Patched.
– CF8/9 Projects should move to higher version (Now CF 10 is stable).
● Check ColdFusion server Updates and Install all updates if you are in
ColdFusion 10, others please visit CF security page and apply all hot fixes.
● Let's take Initiative as aTeam.
Tell to your client if your server is not patched .

Tools available to check CFVurnebalities
● HackMyCf :
– https://foundeo.com/hack-my-cf/
– Recommended by Adobe in it CF Lockdown Guide
● Nessus : 40 Plugins avaibale to check.
– http://www.tenable.com/products/nessus
● FuseGuard

Follow Blog / Peoples – SignUp Security Bulletins
● Go to security website of Adobe and signup for security alerts
– Adobe says that they use to send an an email when they found any security Issues or
during patch release. (Not true in all cases as per the customers)
– www.adobe.com/cfusion/entitlement/index.cfm?e=szalert
● I recommend you to follow CF Gurus inTwitter, they tweet Impt things
related to CF and very active
Adam Cameron @dacCfml
Ben Nadel @BenNadel
Raymond Camden @raymondcamden
Charlie Arehart @carehart
Rakshith Naresh@rakshithn
BradWood @bdw429s
David Epler@dcepler & Many more here https://twitter.com/coldfusion

References -1
● http://www.cvedetails.com/product/8739/Adobe-Coldfusion.html?
vendor_id=53
● http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_t
hreat
● http://cfmlblog.adamcameron.me
● http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/
● http://www.theguardian.com/technology/2014/mar/17/citroen-adobe-
coldfusion-hacked-backdoor
● http://www.coldfusionmuse.com/index.cfm/2014/3/6/IIS.Vulnerability.CF.Ta
sk.Scheduler.API
● http://boncode.blogspot.in/2013/01/cf-scheduled-task-security-
venerability.html
● https://wikidocs.adobe.com/wiki/display/coldfusionen/

References -2
● http://www.pcworld.com/article/2080721/attackers-exploited-coldfusion-
vulnerability-to-install-microsoft-iis-malware.html
● http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/c
f10/cf10-lockdown-guide.pdf
● http://www.codersrevolution.com/blog/adobe-product-security-incident-
response-team-on-coldfusion-and-heartbleed
● Thanks for Image Source:
– Heartbleed Image : codersrevolution.com
– Lock/key Image :problemsolutions24
– CF Fail Image : krebonsecurity.com
– Embarrassment pic of Boy : childline.com
– Game Over Man: OWASAP Slides
– MF Logo: mindfiresolutions.com

Any Questions or Suggestions ?

Cold fusion Security-How to Secure Coldfusion Server

More Related Content

What's hot

Viewers also liked

Similar to Cold fusion Security-How to Secure Coldfusion Server

More from Mindfire Solutions

Recently uploaded

Cold fusion Security-How to Secure Coldfusion Server