Note: This blog post is from 2013. Some content, links and indeed comments from others may be outdated--though not necessarily. Corrections are welcome, in the comments. I may revise the content if necessary.Hey folks, there's a fairly serious security threat out in the wild, and you may want to check if your server's been hit. (It may be old news to some, but for now it's hitting people in the past week or so.) It's been confirmed to have hit at least CF9 (9.01 and 9.0.2) servers, but it seems it would apply to as well to CF10 or down to CF 7, as it leverages the Admin API.
And note that it's NOT one that you're protected against by having applied CF security hotfixes. (Updated Jan 15 2013, as Adobe now has a hotfix for this. More below.)
There's quite a bit for you to consider regarding this recent threat, as I discuss here.
Two updates since first writing this entry:
- First, I have now struck out that last sentence and changed the title, as Adobe has come out with a fix for the problem today. See my entry, Part 3: Adobe hotfix released for "Serious security threat for #ColdFusion servers. But if you are coming to this entry for the first time, you will want to read the rest of this, and part 2, before going to part 3 (or if you go there just to get the hotfix applied first, do come back for more, as there's still plenty to consider beyond just the one problem and the one fix).
- Second, as I wrote here the night after I'd first posted this entry, I've had a lot more info to share and so created another entry, Part 2. Among the new information shared there are such things as how the hack worked (not too much detail, though), how to determine what the exploit may have exposed, how to handle resolving things for many sites via scripting, how to lock down the /adminapi and /administrator directories, and most important, why you should not skip all this just because "we already block all access to the CFIDE/adminapi" (and /administrator)". There may be exposure you're not considering. As one more update (on Jan 15) since posting this originally, the technote from Adobe indicates that we should also block unfettered public access to the CFIDE/componentutils directory, used for the component browser.
A Quick Overview
There's quite a bit that you should (and will want to) understand about the hack, which you can learn more in a thread on the Adobe CF Admin forum, where a poster first pointed it out on Friday, and I found that I too had been hit.
See the specific thread for more details, including a fairly substantial reply I offered (which he's marked as "the answer"), where I explain more I'd found about it, including how how it got there, how to confirm how it got there for you, how to rectify things, how one might already be protected against it, etc.
The upshot is that a file is put on your server which gives a hacker pretty much unfettered access to a lot of things including reading/downloading/uploading/renaming and creating files, accessing datasource information, and more. The file to look for is called h.cfm and is placed in the CFIDE directory (at least in the current rendition of the hack, which may very likely change when the hacker learns that it's being publicized.) See the forum thread for more on what specifically to look for.
Fortunately for some, the degree to which the hacker would have access to things may be limited by how careful you've been in other protections, such as explained in the various lockdown guides for CF (here for CF10, CF9, and CF8).
I also explain how, despite my own efforts to protect the AdminAPI folder through which the exploit happened, I still fell victim. Perhaps it could happen to others. And it will certainly likely happen to those who have not implemented any protection against that folder (whether blocking access to it by IP address, requiring additional authentication, or otherwise). More in the forum thread.
Why am I posting here, now?
I was torn whether to blog my answer to that forum reply when the thread was created, or write a reply there in the forum. I chose the latter, and pointed it out to Adobe and some other CF experts, waiting to see any reply, especially if perhaps it was "old news", as I didn't want to alarm people here if it was not. From some replies I've gotten (some not public), it does seem others have been hit.
Also, as I note there, it's always dicey publicizing discovery/resolution of a security breach, as it can open the door to copycats. I tried in the forum thread to avoid giving any info to open new exploits. I also waited a couple of days to see if any specific other response might be posted from Adobe or others. You'll see in the thread that Adobe has offered to investigate further. So with that, I wanted to now spread the word here, and in twitter (do share the word with others).
I suppose comments ought to be offered there on the forum, since Adobe and others (seeing that thread) will be looking there and not here. Still, I realize some may not have an Adobe forum account, or may simply prefer to respond here rather than there. I'll let you decide. I just wanted to get the news out in case anyone else may be hit.
That said, I do realize that some may prefer not to publicly acknowledge that they got hit by this, but if you want to offer an anonymous comment here to say if you did and/or if the info shared helped, feel free. I think it would help some to see that they are not alone in this.