__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Patch available for ColdFusion MX 7 [APSB06-17] October 11, 2006 16:00 GMT Number R-015 ______________________________________________________________________________ PROBLEM: A potential vulnerability in a third party library could allow a malicious local user to execute arbitrary code with the privilege level of the local SYSTEM. PLATFORM: ColdFusion MX 7 ColdFusion MX 7.0.1 ColdFusion MX 7.0.2 DAMAGE: A local user could potentially run commands with the SYSTEM privilege level. SOLUTION: Apply current patches. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local user could potentially run commands ASSESSMENT: with the SYSTEM privilege level. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-015.shtml ORIGINAL BULLETIN: http://www.adobe.com/support/security/bulletins/apsb06-17.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3978 ______________________________________________________________________________ [***** Start APSB06-17 *****] Security bulletin Patch available for ColdFusion MX 7 local privilege escalation Release Date: October 10, 2006 Vulnerability Identifier: APSB06-17 CVE Number: CVE-2006-3978 Platform: All Platforms Affected Software Versions ColdFusion MX 7, ColdFusion MX 7.0.1, and ColdFusion MX 7.0.2 Summary A potential vulnerability in a third party library could allow a malicious local user to execute arbitrary code with the privilege level of the local SYSTEM. A malicious user must first be able to run code locally on the server to take advantage of the vulnerability. Solution Adobe recommends ColdFusion users apply the following update using the installation instructions below. Alternatively, instructions for disabling the library are available below under the heading Disabling the Verity library. Windows: 1. Stop all ColdFusion services. 2. Make a backup of your existing verity directory cfroot\verity by copying cfroot\verity to cfroot\verity_backup: * Open a DOS window * enter xcopy /S c:\CfusionMX7\verity c:\CfusionMX7\verity_backup and hit return 3. Unzip verity_security_update_windows.zip into cfroot\verity. Make sure to unzip using directory names. Select 'Use folder names' when using winzip or use similar options with other zip utilities. Allow all existing files to be overwritten. 4. Restart all ColdFusion services. Note cfroot by default is C:\CFusionMX7 for the server version. But, in a JRun or J2EE installation verity is installed into a separate directory of your choosing. That directory should be used in place of cfroot. Uninstall instructions for patch: 1. Stop all ColdFusion services. 2. Delete cfroot\verity. 3. Rename cfroot\verity_backup to cfroot\verity. Linux and Solaris: 1. Stop all ColdFusion services. 2. Make a backup of your existing verity directory cfroot\verity by copying cfroot\verity to cfroot\verity_backup. For example run cp -fR /opt/coldfusionmx7/verity /opt/coldfusionmx7/verity_backup. 3. Copy the archive file to cfroot/verity. 4. Unzip and untar the update archive (Linux or Solaris) into cfroot/verity: verity_security_update_solaris.tar.gz verity_security_update_linux.tar.gz 5. All executable files should have permissions of 755. Text files should have permissions of 444. 6. Restart ColdFusion. Uninstall instructions for patch: 1. Stop all ColdFusion services 2. Delete cfroot\verity 3. Rename/move cfroot\verity_backup to cfroot\verity Disabling the Verity Library: The ColdFusion MX 7 J2EE requires a separate installation of the Verity search engine. ColdFusion MX 7 J2EE users should simply not install it or uninstall it, if it is already installed. Windows: Open the services msc applet and stop, "ColdFusion MX 7 Search Server". Set the service to manual or disabled. Users can also run cfmx_root\verity\verity-uninstall.bat to remove the configuration. Linux: Run cfmx_root/bin/cfmx7search stop. Remove cfmx7search from etc/rc.d/init.d, if server was configured to start Verity upon boot. Users can run cfmx_root/verity/verity_uninstall.sh to remove the Verity configuration. Solaris: Run cfmx_root/bin/cfmx7search stop. Remove any startup script for cfmx7search, if server was configured to start Verity upon boot. Users can run cfmx_root/verity/verity_uninstall.sh to remove the Verity configuration. Severity Rating Adobe categorizes this as an important issue and recommends affected users patch their installations. Details Multiple input validation errors exist in a third party service installed with ColdFusion. By default, the service runs with the privilege level of the local SYSTEM account. By issuing specially crafted commands within the client software for the third-party library, a local user could potentially run commands with the SYSTEM privilege level. This issue is not remotely exploitable. Acknowledgements Adobe would like to thank Information Risk Management Plc. for reporting this vulnerability and for working with us to help protect our customers' security. [***** End APSB06-17 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Adobe for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-005: xfree86 Several Vulnerabilities R-006: Python Security Update R-007: Vulnerability in Windows Explorer R-008: Vulnerabilities in Microsoft PowerPoint R-009: Vulnerabilities in Microsoft Excel R-010: Vulnerabilities in Microsoft Word R-011: Vulnerabilities in Microsoft XML Core Services R-012: Vulnerabilities in Microsoft Office R-013: Vulnerability in ASP.NET 2.0 R-014: Vulnerability in Windows Object Packager