Tuesday 5 February 2013

"Is it safe?"

Hey, I'm not going to go into too much detail, but this is in reference to the recent security hole in ColdFusion that did the rounds a few weeks back.

One thing to consider is that simply putting the patch on (CF9 + CF10), or manually tightening up security (earlier versions of CF) is not all you have to do.

As far as I know the patches only close the hole or the vector being used to compromise a server. They don't, however, protect you if you're already compromised; and there could well be no active evidence that you've been compromised, so without investigation, you won't necessarily know.

This means that you'll be all nice and patched up, but you'll still be compromised. Charlie's investigation details how the exploit could leave a file h.cfm on your system, which could then be leveraged to exploit your system further. The problem is further compounded in that once they have one compromised file on your system, you really don't know what they've done: one file could be used to upload more code to the infected system, which in turn facilitates further activity. And I doubt stuff like this will be detected by utilities like Foundeo's hackMyCF, because that looks for exploit vectors, not for what might already be exploited (they can't tell the difference between your code and exploitation code). hackMyCF will detect h.cfm, but it won't - I imagine - check for what usage of h.cfm has subsequently done to your system.

If you considered yourself at risk to the exploit the patch patched, you had better go over your filesystem and check for any unexpected files (be they h.cfm or they could be called anything else).

Unfortunately this is not just scare-mongering, I've recently been made aware of an exploited server that looks like it was exploited before being patched, and was further exploited subsequently by code that had been put in place after the original exploit, but before being patched. Now the exploited code is being leveraged to cause problems on the server.