-
Notifications
You must be signed in to change notification settings - Fork 391
/
Copy pathadobe_coldfusion_access_control_bypass.yml
78 lines (78 loc) · 3.71 KB
/
adobe_coldfusion_access_control_bypass.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
name: Adobe ColdFusion Access Control Bypass
id: d6821c0b-fcdc-4c95-a77f-e10752fae41a
version: 4
date: '2024-11-15'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
- Suricata
description: The following analytic detects potential exploitation attempts against
Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. It monitors
requests to specific ColdFusion Administrator endpoints, especially those with an
unexpected additional forward slash, using the Web datamodel. This activity is significant
for a SOC as it indicates attempts to bypass access controls, which can lead to
unauthorized access to ColdFusion administration endpoints. If confirmed malicious,
this could result in data theft, brute force attacks, or further exploitation of
other vulnerabilities, posing a serious security risk to the environment.
search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web
where Web.url IN ("//restplay*", "//CFIDE/restplay*", "//CFIDE/administrator*",
"//CFIDE/adminapi*", "//CFIDE/main*", "//CFIDE/componentutils*", "//CFIDE/wizards*",
"//CFIDE/servermanager*","/restplay*", "/CFIDE/restplay*", "/CFIDE/administrator*",
"/CFIDE/adminapi*", "/CFIDE/main*", "/CFIDE/componentutils*", "/CFIDE/wizards*",
"/CFIDE/servermanager*") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method,
Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`'
how_to_implement: This detection requires the Web datamodel to be populated from a
supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk
for Palo Alto.
known_false_positives: This analytic is limited to HTTP Status 200; adjust as necessary.
False positives may occur if the URI path is IP-restricted or externally blocked.
It's recommended to review the context of the alerts and adjust the analytic parameters
to better fit the specific environment.
references:
- https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Possible exploitation of CVE-2023-29298 against $dest$.
risk_objects:
- field: dest
type: system
score: 45
threat_objects:
- field: src
type: ip_address
tags:
cve:
- CVE-2023-29298
analytic_story:
- Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
asset_type: Network
atomic_guid: []
mitre_attack_id:
- T1190
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log
source: suricata
sourcetype: suricata