Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cold fusion Security-How to Secure Coldfusion Server


Published on

Recent Heart Bleed gives us a sign that how much Security was important. Security is not only dependent on your Scripting Language, Application code and Database. There are lots of Backdoor Vulnerability which may comes from Web Server and will be unknown to you.This presentation will focus on learning how we can protect our ColdFusion Applications from such Vulnerability.

Published in: Software, Technology, Education
  • Be the first to comment

Cold fusion Security-How to Secure Coldfusion Server

  1. 1. ColdFusion Security : How to Secure your ColdFusion Server Presenter: Shambhu Kumar 24th April 2014
  2. 2. Who am I ? ● ColdFusion Developer – Adobe Certified Expert (9AO-127) – 2.5 +Years of Experience in ColdFusionTechnology. ● Started my carrer with Mindfire Solutions – Bhubaneswar – ● Started Blogging – – ● Active inTwitter and Linkedin – – Follow me @ShamOnTwit ColdFusion Security: Securing ColdFusion Server
  3. 3. Overview :Topics to be discussed ● Recent Attacks on ColdFusion Server (CVE detail report) ● How ColdFusion Server can be hacked. ● Do HeartBleed attacked ColdFusion. ● How to Protect against Most Attacks (BackdoorVulnerability) ● How to check your ColdFusion server isVulnerable. ● ColdFusion 10/ Splendor(Beta) Server Security Enhancements. ● Tools to check CFVulnerability. ● Where to go from here (Security is never ending topic) ● Stay Informed and be Secure (No one provides 100% security) ColdFusion Security: Securing ColdFusion Server
  4. 4. CommonVulnerabilities and Exposures (CVE) ColdFusion : BioData ● Total No of Attacks: 61 (As per CVE Database) ● 2011-12-13 (WorstYears) –Total No of Attacks: 32 ColdFusion Security: Securing ColdFusion Server Source:CVE Datasource: ColdFusion
  5. 5. Recent Attacks on ColdFusion Server: LastYear ● CVE-2013-0625 (Authentication BypassVulnerability): RDS exploited – Permit an unauthorized user to remotely circumvent authentication control Arbitrary executing command using scheduleedit.cfm ● CVE-2013-0629 (Unauthorized access to the restricted directories) – Permit an unauthorized user access to restricted directories. ● CVE-2013-0631 (Administrative Login Bypass) – Permit Information disclosure from a compromised server. ● CVE-2013-0632 (Administrative Login Bypass) – Permit an unauthorized user to remotely circumvent authentication control ● CVE-2013-3336 (Credential Disclosure Exploit - AdminApi Exploited) ● Both CF9/10 was vulnerable ColdFusion Security: Securing ColdFusion Server
  6. 6. Recent Attacks on ColdFusion Server ● My Project XYZ ● Found on : September 2013 Actual Attack : Jan 2013 Time Span : 9 Months (Attack was Unknown) ● Attack Hits maximum no of CF Server. ColdFusion Security: Securing ColdFusion Server
  7. 7. What Actually was Happen in my Project Serious CF SecurityThreat : h.cfm ● Most probably attack was under (CVE-2013/0625-29-31-32/3336). ● Remote File Disclosure of Password Hashes, allowing the attacker to take control of the affected server remotely through an adminAPI/RDS exploit. ● We have found malicious file name h.cfm under CFIDE directory of our CF Server. ● According to other customers they have found i.cfm, help.cfm, info.cfm in their Servers. ● They have traversed to adminapi and added a scheduled job which calls a schedule task and write the output in h.cfm file. ● Probably they have called h.cfm with GET requests from unknown source and access DB info, including passwords etc. ● Let's Check how It was possible ColdFusion Security: Securing ColdFusion Server
  8. 8. ColdFusion Security: Securing ColdFusion Server
  9. 9. Recent Attacks on ColdFusion Server Krebsonsecurity(Security News) shows Long List of Companies. ● LongTail of Companies recently affected : – (Paying $6,000 a year to third-party security compliance firm ) – – Smuckers – SecurePay Payment Gateway – Carmaker Citroen ● Media news on 17th March 2104 : Source - Guardian) – … n Companies Source krebsonsecurity ● All attacks comes under Backdoor ColdFusionVulnerabilities attacked. ● Exposing everything onWeb Sever (CC exposed as per news for some customers) ColdFusion Security: Securing ColdFusion Server
  10. 10. CFVulnerability allowing to Install IIS Malware SeriousThreat : DLL Injection using CVE-2013-0625 ● Media reported: During Mid of Dec 2013 (Remote Authentication ByPass) ● CF was allowing IIS module to Install DLLin IIS which in result steals data. ● CF vulnerability allowing to create a Web Shell (AWeb shell is a type of Remote AccessTool (RAT) or backdoorTrojan file) in server which in turns execute DLL and adds that module in IIS. ● Web Shells can be written in any language. It may contain a single line of code which upload some file or run some batch files on your server. ● Injected DLL was capturing the post request for specific page example paymentProcess.cfm (Installer added this page during installing DLL) and writing CC info in some log file. ● Specifically design DLL was also undetectable by modern Anti-Virus. ● Even SSL can't stop this. As it captures data after SSL post is decrypted by the server. ColdFusion Security: Securing ColdFusion Server
  11. 11. ColdFusion Security: Securing ColdFusion Server
  12. 12. Do HeartBleed(CVE-2014-0160) attacked ColdFusion ? ColdFusion Security: Securing ColdFusion Server So, Adobe ColdFusion is not Vulnerable to HeartBleed attack (Good News) ColdFusion does ship a version of OpenSSL that is not vulnerable to the Heartbleed
  13. 13. ColdFusion Security: Securing ColdFusion Server
  14. 14. Hey I am developer - I am not CF Administrator/IT Admin ● We have to totally eradicate this concept (Security Perspective - Hey I am a developer I only have a motto to secure my application with writing secure code using HTMLEditFormat,querparam etc. Securing CF server is a role of IT admin/client ). ● Yes, Developers have a role in Securing ColdFusion Server (If you missed to update security patches in time and your client system gets hacked- developer, organization everyone is responsible for it. ) ● Moreover Its our responsibility to let our client know that we have to update patches due to recent security holes. ● Bring us a change and keep yourself and the client UpTo Date. Even the code base of Adobe Products gets compromised what happens to our code base. ColdFusion Security: Securing ColdFusion Server
  15. 15. Reason of All such attacks ? ● Who is responsible ? – Developer or ServerAdmin orAdobe ? – There was an Interesting Podcast hosted by CFHour regarding this. Blame Game! ● Reason of all attacks which we have discussed – Your CF Admin was accessible Publicly . – RDS(Remote Development Services) was enabled in Production Server. – RDS Password was not set. – RDS was disabled but RDS password was not set. – CFIDE Directories was accessible ( AdminApi, ComponentUtils are accessible). – You have not applied recent patches on your Server (ColdFusion Security HotFixes). ● If any of the above points matched with your server, your CF Server is Vulnerable. ColdFusion Security: Securing ColdFusion Server
  16. 16. How Many of you know ColdFusion provides Lockdown Guide ? What is CF Lockdown Guide ? ColdFusion Security: Securing ColdFusion Server
  17. 17. How to Lock Down ColdFusion Administrator ? Limiting CF Admin access to Localhost/specific IP ● Using IIS request Filtering – Using Access/Deny feature to Lock down all CFIDE paths ● Using IP Address & Domain restrictions – Deny all URL sequence by default and allow localhost/ specific IP. ● Give Login Credentials to run ColdFusion Application Manager under services. ● Disable RDS from Production server. ● If we are using any tags like cfchart,cfajaxproxy,cfcalender + (another tags referenced in Lock down guide) then we must not removed /cfide/scripts – Solution: create oneVD for scripts and give new path under Default ScriptSrc Directory ColdFusion Security: Securing ColdFusion Server
  18. 18. Tight your ColdFusion security with one more Level ● Allow only specific File extensions which your application uses. – Using this we can block malicious request coming from outsiders. – Do it In IIS Request Filtering (File Name Extensions) ● UseWeb Authentication forWebApplication orWebservices. – Go to IIS > Authentication > EnableWeb Authentication. ● If possible Run CF administrator with SSL connections. ● Simply removing CFIDE directory /VD is not a full proof solution – Because It will serve a request from wwwrootcfide because CF looks first in external web server(IIS/Apache) then in built in webserver(Tomcat/Jrun). So, even if you remove CFIDE physically it will load request from built in web server If you have not locked it. ● You can also keep a hash value of all your source code directories some where. So that if your source code also get compromise you can compare hash value and alarm a message. ColdFusion Security: Securing ColdFusion Server
  19. 19. Tight your ColdFusion security - Continued ● Enable SandBox Security in your Production Server – Using Sandbox Security we can disable some tags/function/datasource/file access. Allowing only those part which are necessary for your application. – Go to Security > Sandbox Security, Enable Sandbox Security and specify path of your application directory. – If we are not using any Scheduler in our website then disable <cfSchedule>, if you are not going to run any batch files disable <cfExecute>. So, decide which tags/functions are necessary and which not and take proper decision. ● Allow only Specific IPs to access ColdFusion Administrator – Go to Security > Allowed IP Addresses and add list of IPs which can access CF admin. ● Disable Servlet Mappings which are unused under web.xml. ● Please check ColdFusion 9/10 Lock down guides for more Info. enterprise/pdf/cf10-lockdown-guide.pdf ColdFusion Security: Securing ColdFusion Server
  20. 20. ColdFusion 10 Security Enhancements “To Secure ColdFusion Sever” ● Added Secure Profile Option while Installing ColdFusion – Added a bunch of settings like disabling RDS, Directory browsing, list of IPs to be allowed to access CF admin etc. – Check CF 10 Secure web page to know more about all settings – To install patches in CF 9 is like climbing Mount Everest, CF10 added tab in CF administrator (Server Update) to see any update/patches available. You can directly update those with one click. – If you think that It will solve all your Security Problems then you are wrong. ● Its optional (Why there is a checkbox ? ) ● CFIDE directory is not protected, Internal Components are still unsecured. – Its recommended to use secure Profile in you Production server. ColdFusion Security: Securing ColdFusion Server
  21. 21. ColdFusion Splendor Security Enhancements “To Secure ColdFusion Sever:Thumbs Up” ● CF Splendor currently in its beta version – May be releasing before CF Objective 2014 ● Added Secure Profile tab under Security section in CF Admin – Now you can see list of all security Profile settings and edit as per need. ● Most Important - Now CF allow Internal Components like adminApi, administrator, servermanager,componentutils,wizards and main to access with specific IP only. Security > Allowed IP Addresses (Allowed IP Addresses for ColdFusion Internal Components) ● Still scripts are under cfide directory, hope by time of Final release they will relocate it to some other places so that we can lockdown all cfide directory in Production server. ColdFusion Security: Securing ColdFusion Server
  22. 22. We understood allVulnerability,Time to act - ● If you are Server is vulnerable or you have not looked at your Server for a year and matching all the Points. Do this ASAP – Go and check your CFIDE directories – Check any unwanted schedulers added in schedule page – Check http.log and scheduler.log – Check IIS for any unwanted DLLs. – Allow CF admin access to MF IP and localhost – Add Request Filtering to stop any CFIDE vulnerability in future. – Use Secure Profile(CF 10) in Production and keep your server Patched. – CF8/9 Projects should move to higher version (Now CF 10 is stable). ● Check ColdFusion server Updates and Install all updates if you are in ColdFusion 10, others please visit CF security page and apply all hot fixes. ● Let's take Initiative as aTeam. Tell to your client if your server is not patched . ColdFusion Security: Securing ColdFusion Server
  23. 23. Tools available to check CFVurnebalities ● HackMyCf : – – Recommended by Adobe in it CF Lockdown Guide ● Nessus : 40 Plugins avaibale to check. – ● FuseGuard ColdFusion Security: Securing ColdFusion Server
  24. 24. Follow Blog / Peoples – SignUp Security Bulletins ● Go to security website of Adobe and signup for security alerts – Adobe says that they use to send an an email when they found any security Issues or during patch release. (Not true in all cases as per the customers) – ● I recommend you to follow CF Gurus inTwitter, they tweet Impt things related to CF and very active Adam Cameron @dacCfml Ben Nadel @BenNadel Raymond Camden @raymondcamden Charlie Arehart @carehart Rakshith Naresh@rakshithn BradWood @bdw429s David Epler@dcepler & Many more here ColdFusion Security: Securing ColdFusion Server
  25. 25. References -1 ● vendor_id=53 ● hreat ● ● ● coldfusion-hacked-backdoor ● sk.Scheduler.API ● venerability.html ● ColdFusion Security: Securing ColdFusion Server
  26. 26. References -2 ● vulnerability-to-install-microsoft-iis-malware.html ● f10/cf10-lockdown-guide.pdf ● response-team-on-coldfusion-and-heartbleed ● Thanks for Image Source: – Heartbleed Image : – Lock/key Image :problemsolutions24 – CF Fail Image : – Embarrassment pic of Boy : – Game Over Man: OWASAP Slides – MF Logo: ColdFusion Security: Securing ColdFusion Server
  27. 27. Any Questions or Suggestions ? ColdFusion Security: Securing ColdFusion Server