Tuesday 18 March 2014

It is Adobe's fault, OK?

OK, so it's just reached the news media that a Citroën website was exploited via an unpatched ColdFusion security hole (The Guardian: "Citroen becomes the latest victim of Adobe ColdFusion hackers").

It's - as yet - unclear as to when this happened: the wording in the Guardian is vague, so it could have happened last week, our it could have happened last year. Our it could have had the exploit mechanism "installed" last year but only utilised recently (this is my own interpretation of the article), or only discovered recently. I have reached out to the Guardian for clarification of this, and will update this article if they respond.

But these are definite facts:
  • the server was exploited via poor security in ColdFusion;
  • the server did not have a patch applied that would have mitigated the issue;
  • the server was not appropriately locked down for a production server, irrespective of patch level.
So the admins of this server were negligent. I am not contesting that. I am also not saying they were purposely negligent, but that doesn't matter: they had not done their jobs properly.

But this does not absolve Adobe from two things:
  1. the default install process leaves a large security vector exposed to the world, in that it exposes /CFIDE to the public by default;
  2. the exploiters used that vector and a general poor approach to security and password management in ColdFusion Administrator to breach Coldfusion servers.
Bugs happen. And shit happens. And I class #2 in that bracket. And Adobe got the patch sorted out reasonably quickly once they discovered it. But it still happened.

#1 is inexcuseable, and has been known to be a vector for exploitation for years. Only in ColdFusion 10 did Adobe first give a nod to this, and optionally allows the person doing the installation to use a "secure profile" when installing CF, which includes the ability - from the outset - to prevent public access to files in /CFIDE. As of ColdFusion 11, the default installation route is still to expose /CFIDE.

I make a point of saying this because as soon as this Citroën news came out, Adobe apologists started floundering around the place saying it's not ColdFusion's fault, but entirely the fault of the administrators who didn't keep their servers patched.

Yes, the administrators need to shoulder responsibility here. But this in no way completely absolves Adobe for getting them into this situation in the first place. They'd not have anything to patch if ColdFusion didn't have the issue in the first place.

As a follow-up to this situation, I have asked Rakshith what steps Adobe took to ensure their client-base was aware of this security hole, and I await feedback on that, which I will share. I don't think it's unreasonable with a security issue like this that Adobe should have been proactive in making sure ColdFusion was patched wherever possible. Each of these news stories hurts both Adobe's and ColdFusion's credibility, after all.