ColdFusion and USAHERDS web-application Vulnerabilities

 

ColdFusion is an application server. ColdFusion is also a web programming language that allows a web application communicate with various back-end systems.

Using ColdFusion, you can create dynamic web pages that offer user input, database lookups, time of day, or any other criteria you require.

ColdFusion is used by the US Social Security Administration, the Food and Drug Administration, The Kennedy Center, the State Department, and the Fortune 100 websites.

ColdFusion Builder reached the end-of-life, effective Oct 1, 2024.

Vulnerability:

• v A critical security flaw in ColdFusion such as exploit that could cause an arbitrary file system read.

Recommendation:

ü The vulnerability has been addressed in ColdFusion 2023 Update 12. Recommended to apply the patches to mitigate potential risks.

USAHERDS, USALIMS, USAPlants, USAFoodSafety, and USAMeals are web applications developed by Acclaim Systems to assist U.S. government agencies in tracking and managing animal health, as well as controlling disease outbreaks, which is part of the AgraGuard product suite, which supports agriculture and food safety operations.

Vulnerability:

• v This involves the use of hardcoded credentials such as static Validation Key and Decryption Key values, allowing attackers to execute malicious code on the USAHERDS, USALIMS, USAPlants, USAFoodSafety, and USAMeals web applications.

With these keys for the web applications, one can construct a malicious View State that passes the MAC check and will be deserialized by the server. This deserialization can result in the execution of code on the server.

Note: 

More than 125,000 ColdFusion servers are deployed, ColdFusion is one of the most widely adopted web technologies, and a total of 643,663 websites use ColdFusion, across the globe.