Cold fusion Security-How to Secure Coldfusion Server

ColdFusion Security : How to Secure your ColdFusion Server

Presenter: Shambhu Kumar24th April 2014

Who am I ?● ColdFusion Developer

– Adobe Certified Expert (9AO-127)

– 2.5 + Years of Experience in ColdFusion Technology.

● Started my carrer with Mindfire Solutions – Bhubaneswar

– http://www.mindfiresolutions.com/

● Started Blogging

– http://shamcf.blogspot.in/

– http://coldfusionexperts.wordpress.com/

● Active in Twitter and Linkedin

– http://www.linkedin.com/pub/shambhu-kumar/45/229/108

– Follow me @ShamOnTwit

ColdFusion Security: Securing ColdFusion Server

http://shamcf.blogspot.in/

http://www.linkedin.com/pub/shambhu-kumar/45/229/108

Overview : Topics to be discussed● Recent Attacks on ColdFusion Server (CVE detail report)

● How ColdFusion Server can be hacked.

● Do HeartBleed attacked ColdFusion.

● How to Protect against Most Attacks (Backdoor Vulnerability)

● How to check your ColdFusion server is Vulnerable.

● ColdFusion 10/ Splendor(Beta) Server Security Enhancements.

● Tools to check CF Vulnerability.

● Where to go from here (Security is never ending topic)

● Stay Informed and be Secure (No one provides 100% security)


Common Vulnerabilities and Exposures (CVE) ColdFusion : BioData

● Total No of Attacks: 61 (As per CVE Database)

● 2011-12-13 (Worst Years) – Total No of Attacks: 32


Source:CVE Datasource: ColdFusion

Recent Attacks on ColdFusion Server: Last Year ● CVE-2013-0625 (Authentication Bypass Vulnerability): RDS exploited

– Permit an unauthorized user to remotely circumvent authentication control

Arbitrary executing command using scheduleedit.cfm

● CVE-2013-0629 (Unauthorized access to the restricted directories)

– Permit an unauthorized user access to restricted directories.

● CVE-2013-0631 (Administrative Login Bypass)

– Permit Information disclosure from a compromised server.

● CVE-2013-0632 (Administrative Login Bypass)

– Permit an unauthorized user to remotely circumvent authentication control

● CVE-2013-3336 (Credential Disclosure Exploit - AdminApi Exploited)

● Both CF9/10 was vulnerable


Recent Attacks on ColdFusion Server ● My Project XYZ

● Found on : September 2013

Actual Attack : Jan 2013

Time Span : 9 Months (Attack was Unknown)

● Attack Hits maximum no of CF Server.


What Actually was Happen in my Project Serious CF Security Threat : h.cfm

● Most probably attack was under (CVE-2013/0625-29-31-32/3336).

● Remote File Disclosure of Password Hashes, allowing the attacker to take control of the affected server remotely through an adminAPI/RDS exploit.

● We have found malicious file name h.cfm under CFIDE directory of our CF Server.

● According to other customers they have found i.cfm, help.cfm, info.cfm in their Servers.

● They have traversed to adminapi and added a scheduled job which calls a schedule task and write the output in h.cfm file.

● Probably they have called h.cfm with GET requests from unknown source and access DB info, including passwords etc.

● Let's Check how It was possible



Recent Attacks on ColdFusion Server Krebsonsecurity(Security News) shows Long List of Companies.

● Long Tail of Companies recently affected :

– Elightbulbs.com (Paying $6,000 a year to third-party security compliance firm )

– Kichlerlightinglights.com

– Smuckers

– SecurePay Payment Gateway

– Carmaker Citroen

● Media news on 17th March 2104 : Source - Guardian)

– … n Companies

Source krebsonsecurity

● All attacks comes under Backdoor ColdFusion Vulnerabilities attacked.

● Exposing everything on Web Sever (CC exposed as per news for some customers)


CF Vulnerability allowing to Install IIS Malware Serious Threat : DLL Injection using CVE-2013-0625

● Media reported: During Mid of Dec 2013 (Remote Authentication ByPass)

● CF was allowing IIS module to Install DLLin IIS which in result steals data.

● CF vulnerability allowing to create a Web Shell (A Web shell is a type of Remote Access Tool (RAT) or backdoor Trojan file) in server which in turns execute DLL and adds that module in IIS.

● Web Shells can be written in any language. It may contain a single line of code which upload some file or run some batch files on your server.

● Injected DLL was capturing the post request for specific page example paymentProcess.cfm (Installer added this page during installing DLL) and writing CC info in some log file.

● Specifically design DLL was also undetectable by modern Anti-Virus.

● Even SSL can't stop this. As it captures data after SSLpost is decrypted by the server.



Do HeartBleed(CVE-2014-0160) attacked ColdFusion ?


So, Adobe ColdFusion is not Vulnerable to HeartBleed attack (Good News)

ColdFusion does ship a version of OpenSSL that is not vulnerable to the Heartbleed


Hey I am developer - I am not CF Administrator/IT Admin

● We have to totally eradicate this concept (Security Perspective - Hey I am a developer I only have a motto to secure my application with writing secure code using HTMLEditFormat,querparam etc. Securing CF server is a role of IT admin/client ).

● Yes, Developers have a role in Securing ColdFusion Server (If you missed to update security patches in time and your client system gets hacked- developer, organization everyone is responsible for it. )

● Moreover Its our responsibility to let our client know that we have to update patches due to recent security holes.

● Bring us a change and keep yourself and the client Up To Date. Even the code base of Adobe Products gets compromised what happens to our code base.


Reason of All such attacks ? ● Who is responsible ?

– Developer or Server Admin or Adobe ?

– There was an Interesting Podcast hosted by CFHour regarding this. Blame Game!

● Reason of all attacks which we have discussed

– Your CF Admin was accessible Publicly .

– RDS(Remote Development Services) was enabled in Production Server.

– RDS Password was not set.

– RDS was disabled but RDS password was not set.

– CFIDE Directories was accessible ( AdminApi, ComponentUtils are accessible).

– You have not applied recent patches on your Server (ColdFusion Security HotFixes).

● If any of the above points matched with your server, your CF Server is Vulnerable.


How Many of you know ColdFusion provides Lockdown Guide ?

What is CF Lockdown Guide ?


How to Lock Down ColdFusion Administrator ? Limiting CF Admin access to Localhost/specific IP

● Using IIS request Filtering

– Using Access/Deny feature to Lock down all CFIDE paths

● Using IP Address & Domain restrictions

– Deny all URL sequence by default and allow localhost/ specific IP.

● Give Login Credentials to run ColdFusion Application Manager under services.

● Disable RDS from Production server.

● If we are using any tags like cfchart,cfajaxproxy,cfcalender + (another tags referenced in Lock down guide) then we must not removed /cfide/scripts

– Solution: create one VD for scripts and give new path under Default ScriptSrc Directory


Tight your ColdFusion security with one more Level● Allow only specific File extensions which your application uses.

– Using this we can block malicious request coming from outsiders.

– Do it In IIS Request Filtering (File Name Extensions)

● Use Web Authentication for WebApplication or Webservices.

– Go to IIS > Authentication > Enable Web Authentication.

● If possible Run CF administrator with SSL connections.

● Simply removing CFIDE directory / VD is not a full proof solution

– Because It will serve a request from \wwwroot\cfide because CF looks first in external web server(IIS/Apache) then in built in webserver(Tomcat/Jrun). So, even if you remove CFIDE physically it will load request from built in web server If you have not locked it.

● You can also keep a hash value of all your source code directories some where. So that if your source code also get compromise you can compare hash value and alarm a message.


Tight your ColdFusion security - Continued● Enable SandBox Security in your Production Server

– Using Sandbox Security we can disable some tags/function/datasource/file access.Allowing only those part which are necessary for your application.

– Go to Security > Sandbox Security, Enable Sandbox Security and specify path of your application directory.

– If we are not using any Scheduler in our website then disable <cfSchedule>, if you are not going to run any batch files disable <cfExecute>. So, decide which tags/functions are necessary and which not and take proper decision.

● Allow only Specific IPs to access ColdFusion Administrator

– Go to Security > Allowed IP Addresses and add list of IPs which can access CF admin.

● Disable Servlet Mappings which are unused under web.xml.

● Please check ColdFusion 9/10 Lock down guides for more Info. https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf


ColdFusion 10 Security Enhancements “To Secure ColdFusion Sever”

● Added Secure Profile Option while Installing ColdFusion

– Added a bunch of settings like disabling RDS, Directory browsing, list of IPs to be allowed to access CF admin etc.

– Check CF 10 Secure web page to know more about all settings http://www.adobe.com/go/cf_secureprofile

– To install patches in CF 9 is like climbing Mount Everest, CF10 added tab in CF administrator (Server Update) to see any update/patches available.You can directly update those with one click.

– If you think that It will solve all your Security Problems then you are wrong.

● Its optional (Why there is a checkbox ? )● CFIDE directory is not protected, Internal Components are still unsecured.

– Its recommended to use secure Profile in you Production server.


ColdFusion Splendor Security Enhancements“To Secure ColdFusion Sever: Thumbs Up”

● CF Splendor currently in its beta version

– May be releasing before CF Objective 2014

● Added Secure Profile tab under Security section in CF Admin

– Now you can see list of all security Profile settings and edit as per need.

● Most Important - Now CF allow Internal Components like adminApi, administrator, servermanager,componentutils,wizards and main to access with specific IP only. Security > Allowed IP Addresses (Allowed IP Addresses for ColdFusion Internal Components)

● Still scripts are under cfide directory, hope by time of Final release they will relocate it to some other places so that we can lockdown all cfide directory in Production server.


We understood all Vulnerability, Time to act - ● If you are Server is vulnerable or you have not looked at your Server for a

year and matching all the Points. Do this ASAP

– Go and check your CFIDE directories

– Check any unwanted schedulers added in schedule page

– Check http.log and scheduler.log

– Check IIS for any unwanted DLLs.

– Allow CF admin access to MF IP and localhost

– Add Request Filtering to stop any CFIDE vulnerability in future.

– Use Secure Profile(CF 10) in Production and keep your server Patched.

– CF8/9 Projects should move to higher version (Now CF 10 is stable).

● Check ColdFusion server Updates and Install all updates if you are in ColdFusion 10, others please visit CF security page and apply all hot fixes.

● Let's take Initiative as a Team.Tell to your client if your server is not patched .


Tools available to check CF Vurnebalities

● HackMyCf :

– https://foundeo.com/hack-my-cf/

– Recommended by Adobe in it CF Lockdown Guide

● Nessus : 40 Plugins avaibale to check.

– http://www.tenable.com/products/nessus

● FuseGuard


https://foundeo.com/hack-my-cf/

Follow Blog / Peoples – SignUp Security Bulletins

● Go to security website of Adobe and signup for security alerts

– Adobe says that they use to send an an email when they found any security Issues or during patch release. (Not true in all cases as per the customers)

– www.adobe.com/cfusion/entitlement/index.cfm?e=szalert

● I recommend you to follow CF Gurus in Twitter, they tweet Impt things related to CF and very active Adam Cameron @dacCfmlBen Nadel @BenNadelRaymond Camden @raymondcamdenCharlie Arehart @carehartRakshith Naresh@rakshithn Brad Wood @bdw429sDavid Epler@dcepler & Many more here https://twitter.com/coldfusion


References -1● http://www.cvedetails.com/product/8739/Adobe-Coldfusion.html?

vendor_id=53

● http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat

● http://cfmlblog.adamcameron.me

● http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/

● http://www.theguardian.com/technology/2014/mar/17/citroen-adobe-coldfusion-hacked-backdoor

● http://www.coldfusionmuse.com/index.cfm/2014/3/6/IIS.Vulnerability.CF.Task.Scheduler.API

● http://boncode.blogspot.in/2013/01/cf-scheduled-task-security-venerability.html

● https://wikidocs.adobe.com/wiki/display/coldfusionen/


References -2● http://www.pcworld.com/article/2080721/attackers-exploited-coldfusion-

vulnerability-to-install-microsoft-iis-malware.html

● http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf

● http://www.codersrevolution.com/blog/adobe-product-security-incident-response-team-on-coldfusion-and-heartbleed

● Thanks for Image Source:

– Heartbleed Image : codersrevolution.com

– Lock/key Image :problemsolutions24

– CF Fail Image : krebonsecurity.com

– Embarrassment pic of Boy : childline.com

– Game Over Man: OWASAP Slides

– MF Logo: mindfiresolutions.com


Any Questions or Suggestions ?


Cold fusion Security-How to Secure Coldfusion Server

Software

administrative login bypass

allowed ip addresses

iis request filtering

securing coldfusion server

access cf admin

internal components

unauthorized user

cf admin