The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two critical security flaws exploited in attacks, one of them as a zero-day.
According to the binding operational directive (BOD 22-01) issued by CISA in November 2021, Federal Civilian Executive Branch Agencies (FCEB) are required to patch their systems against all bugs added to the Known Exploited Vulnerabilities (KEV) catalog.
With the latest update, all U.S. FCEB agencies have been instructed to address the two bugs (CVE-2023-29298 and CVE-2023-38205) by August 10th.
While the primary focus of the catalog is on federal agencies, private companies are strongly advised to also prioritize and promptly address the two vulnerabilities.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
ColdFusion confusion
Adobe addressed CVE-2023-29298 access control bypass and CVE-2023-29300 pre-auth RCE vulnerabilities on July 11th—the company also mistakenly alerted customers that CVE-2023-29300 was being exploited and later retracted the warning.
Two days later, Rapid7 said it observed attackers chaining exploits for the CVE-2023-29298 and what looked like the CVE-2023-29300/CVE-2023-38203 flaws to deploy web shells on vulnerable ColdFusion servers to gain initial access to the backdoored devices.
On Monday, July 17th, Rapid7 found a bypass for the CVE-2023-29298 patch (now tracked as CVE-2023-38205) already exploited in attacks.
“Rapid7 researchers determined on Monday, July 17 that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14),” said Rapid7.
Adobe released emergency security updates to address the new actively exploited CVE-2023-38205 zero-day on July 19th, warning customers that it was being abused in the wild “in limited attacks targeting Adobe ColdFusion.”
CISA issued a second order this week asking federal agencies to secure Citrix servers vulnerable against the CVE-2023-3519 remote code execution (RCE) bug by August 9th.
As Shadowserver Foundation security researchers revealed, at least 11,170 Citrix Netscaler appliances exposed online are likely vulnerable to attacks leveraging the flaw.
