Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
Vendor URL: https://www.adobe.com/uk/products/coldfusion-family.html
Systems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and below
Author: Nick Bloor (@NickstaDB) / email@example.com
Advisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
CVE Identifier: CVE-2017-11284
Risk: Critical (unauthenticated remote code/command execution)
Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using Java Remote Method Invocation (RMI). The affected versions of ColdFusion are bundled with an outdated version of the Java runtime environment which does not properly validate RMI registry bind requests leading to a Java deserialisation vulnerability.
This issue affects the Flex integration component of Adobe ColdFusion and the outdated Java runtime environment that is bundled with the affected versions of ColdFusion. These components are exposed through a Java RMI network service that listens on TCP port 1099 by default.
Full system compromise. An unauthenticated attacker can exploit this vulnerability to reliably execute arbitrary code or operating system commands. The payload is executed under the context of the local SYSTEM account by default.
When Flex integration is enabled through the ColdFusion Administrator application, a Java RMI registry service is started which listens on TCP port 1099. The bundled Java runtime environment does not validate the type of objects submitted in a registry bind request, nor does it validate the source of the incoming bind request before deserialising the supplied object.
By default, the Adobe ColdFusion server service runs under the context of the local SYSTEM account. As a result, successful exploitation of this vulnerability gives an attacker complete control over the underlying server.
The Java runtime environment that is bundled with Adobe ColdFusion needs to be updated manually in order to protect against this vulnerability. Further information can be found at the following URLs:
Under a default installation of ColdFusion 2016 the bundled Java runtime environment can be found at the following path: C:\ColdFusion2016\jre
Note that under a default installation it is not sufficient to update the system Java runtime environment because ColdFusion uses its own bundled Java runtime environment.
Discovered: 29th June 2017
Reported: 29th June 2017
Fixed: 12th September 2017
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cybersecurity.
Written by: Nick Bloor (@NickstaDB)
Published date:  16 October 2017