Vulnerability Alert

Adobe ColdFusion download.cfm Arbitrary File Retrieval Vulnerability

 
Threat Type:CWE-200: Information Leak / Disclosure
IntelliShield ID:29265
Version:3
First Published:2013 May 08 16:42 GMT
Last Published:2013 May 14 18:42 GMT
Port: Not available
CVE:CVE-2013-3336
BugTraq ID:59773
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:5.0 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:4.1
 
Version Summary:Adobe has released an additional security advisory and software updates to address the ColdFusion download.cfm arbitrary file retrieval vulnerability.
 
 
Description
A vulnerability in Adobe ColdFusion could allow an unauthenticated, remote attacker to download arbitrary files from a targeted system.

The vulnerability is due to improper handling of directory traversal characters by the download.cfm script. An attacker could exploit the vulnerability by sending requests to the targeted script, causing the script to return a targeted file to the attacker and resulting in information disclosure.

Adobe has confirmed this vulnerability and software updates are available.
 
Warning Indicators
Adobe ColdFusion versions 9 and 10 are affected.
 
IntelliShield Analysis
Exploit code is available publicly that allows exploitation of the vulnerability and attacks using the exploit are being reported in the wild.

Successful exploitation may allow the attacker to retrieve password files that contain hashed passwords. Attackers may be able to use the password hashes to gain unauthorized access to targeted systems with administrative access.
 
Vendor Announcements
Adobe has released security advisories at the following links: APSA13-03 and APSA13-13
 
Impact
An unauthenticated, remote attacker could exploit this vulnerability to download arbitrary files from a targeted system, resulting in information disclosure. An attacker could access credential files that could allow the attacker to mount further attacks against the system.
 
Technical Information
The vulnerability is due to improper handling of directory traversal characters by the download.cfm script. The script fails to check the path of parameters that may use directory traversal characters to access files outside allowed directories.

An unauthenticated, remote attacker could exploit the vulnerability by sending requests to the vulnerable script. The processing of the request could return a file in a specified path to the attacker, resulting in information disclosure.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators may consider disabling or restricting access to the affected script in the vulnerable application.

Administrators are advised to monitor affected systems.
 
Patches/Software
Adobe users are advised to update their installations of ColdFusion using the instructions in the technote at the following link: ColdFusion Hotfix

Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
2214/0Adobe ColdFusion Arbitrary File Retrieval VulnerabilityS7172013 May 13 
 
Alert History
 

Version 2, May 9, 2013, 3:26 PM: Adobe has released a security advisory to address the ColdFusion download.cfm arbitrary file retrieval vulnerability.

Version 1, May 8, 2013, 4:42 PM: Adobe ColdFusion contains a vulnerability that could allow an unauthenticated, remote attacker to download arbitrary files from a targeted system. Updates are not available.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
AdobeColdFusion 9.0 Base, .1, .2 | 10.0 Base, Update 1, Update 2, Update 3, Update 4

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield