Remediation for CVE-2024-20767 and CVE-2024-21216: Protect Yourself Against Two Recent Critical Bugs Exploitable in the Wild

Securing Mobile Apps: Strengthening Authentication for Ultimate Protection
November 18, 2024
Protecting Web Apps from Cross-site Scripting Using Content Security Policy
Protecting Web Apps from Cross-site Scripting Using Content Security Policy
November 19, 2024

November 18, 2024

CVE-2024-20767- ColdFusion Path Traversal can lead to reading important data

CVE-2024-20767 is a vulnerability in ColdFusion versions 2023.6, 2021.12, and earlier. These versions are affected by an improper access control vulnerability that could allow arbitrary file system reads. An attacker could exploit this vulnerability to bypass security measures, gain unauthorized access to sensitive files, and perform arbitrary file system writes. Exploiting this issue does not require user interaction. The vulnerability has a high CVSS score, making it a significant risk to assets that are vulnerable to this bug.

Based on the Fofa search engine there is over 145.000 over the world who have a public application using ColdFusion 

And, Some of them leave the admin panel accessible, and it can get exploited by the above bug because the root cause was by the admin functionality endpoint

Attackers easily can use any public exploit like the following example

Going to the security section then allowing IP Addresses and adding the local IPs that are only allowed to use of the admin panel this action will limit the people who can use admin functionality to avoid leaking the uuid which is very important for privilege in ColdFusion security flow

As we see after applying the change now we cannot exploit the target because the accessing restriction 

 CVE-2024-21216 – Weblogic Unauthenticated RCE

CVE-2024-21216 is a vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected include 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 and IIOP to compromise the Oracle WebLogic Server. Successful exploitation of this vulnerability can result in the takeover of the Oracle WebLogic Server. The CVSS base score is 9.8, which is very critical.

The PoC has not been published yet but to avoid a WebLogic server takeover, as shown in the below picture in the Nmap scan comes with a Weblogic version

To manage the network connection We need to use the weblogic.security.net.ConnectionFilterImpl  to filter the access to T3

By applying the below network rules based on the environment it will restrict access to the public connection to access the T3 protocol to avoid being attacked over it

127.0.0.1 * * allow t3 t3s           # Allow T3/T3s access from localhost

<local_IP> * * allow t3 t3s          # Allow T3/T3s access from the local IP

<allowed_IP> * * allow t3 t3s        # Allow T3/T3s access from a specific trusted IP

* * * deny t3 t3s                    # Deny all other T3/T3s access

To disable IIOP, Go to servers and then AdminServer(admin) Configuration

Then, go to Protocols, select IIOP, and disable this protocol by unchecking Enable IIOP

And then save and restart Weblogic by running ./StopWeblogic.sh and start it again with ./StartWeblogic.sh

Running the Nmap scan again shows a handshake failure this time due to the restriction of T3 protocol 

Recommendation

It’s always recommended that the official patch be applied. However, in large environments, it may not be feasible to do so immediately. In this blog post, we aim to manually limit the vulnerability risk, without patching the application. Keep in mind that these mitigations may restrict access and disable certain functionality within the application

References

https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html
https://docs.oracle.com/middleware/11119/wls/WLAPI/weblogic/security/net/ConnectionFilterImpl.html

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks