Blog

17Mar
2014
Krebs On Security ColdFusion Story

Krebs on Security has posted a story with the link bait title of The Long Tail of ColdFusion Fail. The title is misleading; the story is not about ColdFusion fails at all, but about IT failing to keep servers up to date to deal with already addressed security holes. But, wrong title aside, the message is one worth repeating.

Comments (7)



  • Adam Cameron

    That's a bit disingenuous too, Ben. I agree that this would not have been an issue had the admins patched their server, but you can't absolve Adobe and ColdFusion completely, as there was only the need to patch the server due to security shortcomings in ColdFusion. Let's not forget that.

    --
    Adam

  • Shawn

    I agree with Adam. Both are faulted. Adobe hasn't had a version yet with hassle free updates from the updater yet either. These guys were probably on an early version of 10 and had to go through that manual routine on the updater. Hopefully 11 won't need a manual patch, to get the updater working.

    #2Posted by Shawn | Mar 18, 2014, 09:24 AM
  • Dave

    @Adam Yes, there was an issue with ColdFusion on this. However, if the admin that setup the server would have followed the lockdown guid they would have been protected. Also, these people got hacked well after the patch to fix CF was released.

    So, ultimately I blame the admins for not following best practices and setup the necessary elements to protect themselves. It is security in depth. Take the necessary steps to secure each layer. Never assume that the layer above or below is secure. I always find it interesting where, when a breach happens, everyone is quick to blame someone else to hide their failings.

    #3Posted by Dave | Mar 18, 2014, 10:16 AM
  • Adam Cameron

    @Dave: absolutely. I wonder if you actually read my comment before replying to it?

    I didn't suggest the admins were faultless, what I *did* contest is Ben's assertion that "the story is not about ColdFusion fails ***at all***" (my ***emphasis***). Which is disingenuous & misrepresentative of the situation.

    The damage was *caused* by the security hole in ColdFusion, not by the lapse in correct administration practices on the part of the engineers. That lapse merely allowed the exploit to be utilised.

    I am in no way excusing the admins concerned. but there'd be no issue at all here had there not been the problem in ColdFusion to start with.

    No reasonable person could completely absolve Adobe or ColdFusion here.

    --
    Adam

  • Shawn

    Well bugs and occasional vunerabilities are to be expected, but the mangnitude of a couple vunerabilities has suprised me. When I build apps, I do so very defensively always trying to ask "if someone wanted to hack this, what creative ways would they try to do it?" To have a log output to a cfm file which could be ran under a default config, is a failure on product development's to see the bigger picture. Same with the web services bug turning public cfc's into remote. Those two in particular had me quite suprised such a thing could happen. They were obvious expolit possibilities to me, which means someone either rushed through it, they didn't care, or were just unaware of the product environment as a whole.

    I agree there are some subpar CF admins out there. There are also some lazy ones that cringe at manual updates and will assume out of the box CF won't have any devistating holes, but that is just the nature of the field, other languages have the same issues. The bigger point is how does Adobe handle that.

    -updater is good, but its not flawless. Earlier versions require a manual update. If you download the current version and try update 12 it bugs out. By playing around with it you see applying update 7 fixes it, but there isn't any offical docs on that fix, just some public chatter and an assumption that you as an admin will toy with it and eventually figure it out. Why does the download only update as far as update 6? If update 13 is available, the download on the website should reflect that not be 7 updates behind. These should be addressed.

    - if the lockdown guide is an installation requirement, then why isn't it a part of the install and link off to a live version as well?

    Adobe needs to keep in mind in larger enterprise cloud environments some IT guy is provisioning the resources, and there is a high chance he's not a CF pro as CF's penetration isn't as high as other free platforms. He's just a network/server admin. The security essentials need to be more in your face and should be no a no brainer to apply for these scenarios. I can't count the number of provisions others have done and they tell me your ready to go, and I comeback with no we aren't and a long list of fixes to secure the environment.

    #5Posted by Shawn | Mar 18, 2014, 12:37 PM
  • Ben Forta

    I don't agree guys. In an ideal world no software would ever need patching for security fixes. In the real world, however, everything from your desktop and device OSs to desktop software to virtual machines to games ... everything is getting patched all the time. If ColdFusion had holes that we're not patched, then yes, I'd be the first to fault Adobe and CF for subsequent breaches. But when holes are patched, and later (sometimes years later) servers are attacked using holes that admins failed to apply patches for, then no, I blame the admins completely. Sorry, that's exactly what IT admins are supposed to be doing, administrating IT infrastructure, and that includes CF servers. If the article could claim that sites were hacked because CF had unpatched holes I'd have been ok with the title. But as it was discussing failures on the part of IT admins, well, then I stand by my original assertion.

    --- Ben

    #6Posted by Ben Forta | Mar 18, 2014, 01:47 PM
  • Shawn

    I agree with you the title was a bit "scourched earth" for the product and a bit unfair. I also don't think we are implying CF can never have bugs. As far as 100% blame on the admins, I wouldn't go that far. I don't think Adobe's update/alert process is there yet. I'd say a majority is on the server admin.

    When it comes to vunerability alerts I think Adobe should maintain an e-mail list of CF admins so within minutes they can push out an e-mail to all admins so they can protect themselves immediately. Even if there isn't 100% resolution yet, at least if we know the cause we can explore shutting off features until it is. I know thats a double edge sword to communicate that well could increase copycat attacks, but taking a page from your arguement, its an admin's job to protect the server, so I'd rather that info be past along too fast than not fast enough. Upon install Adobe could prompt an optional admin email field for vunerability updates. Sure you have everyone's purchase info, but many times that is a billing e-mail.

    #7Posted by Shawn | Mar 18, 2014, 08:50 PM