COMMAND
Cold Fusion Server
SYSTEMS AFFECTED
Cold Fusion Server 4.5.1, Professional & Enterprise
PROBLEM
Ryan Hill posted following (thanks are due to Patrick Keating,
for his help diagnosing and discovering this issue). ColdFusion
is a complete Web application server for developing and delivering
scalable e-business applications. An included component of the
Cold Fusion Markup Language (CFML) tag set includes a tag called
CFCACHE. CFCACHE allows you to speed up pages considerably in
cases where the dynamic content doesn't need to be retrieved each
time a user accesses the page. To accomplish this, it creates
temporary files that contain the static HTML returned from a
particular run of the ColdFusion page.
It is possible to cause the Cold Fusion Server service to hang
and stop responding to client requests when requesting a cache
file that isn't stored in memory and there are no available
running thread request slots available on the server. The Cold
Fusion Server service must be restarted so that the running and
queued request threads can be cleared.
CFCACHE uses a client thread request when creating temporary cache
pages that will hang Cold Fusion Server if there are no available
execution thread slots. An example of this exploit using the
default limit of 5 simultaneous requests would be to send 6
simultaneous page requests to a CFCACHE'd page which hasn't been
loaded into a temporary cache file. Using CFSTAT, a utility
included with Cold Fusion Server, you can clearly see that the
server has stopped responding to client requests with 5 threads
running in the active thread space and 1 thread stuck in the
queue. The 5 active threads never timeout or exit and the server
never recovers from this hung state. The only way to regain
control of the server is to restart the Cold Fusion Server service
on the affected machines.
The severity of this bug is fairly high considering that the
exploit is so simple to perform and does not require malformed
data, edited packets or any exploit programs to potentially knock
thousands of vulnerable Cold Fusion Servers off-line.
SOLUTION
No known patches, however, you have the choice of avoiding the use
of CFCACHE or a possible workaround would be to manually or
programmatically (spider) CFCACHE pages so that the temporary
files are created under a no-load situation. Once the temporary
cache pages are created, this vulnerability is no longer a
threat. This workaround is not very practical however, and can
become very time consuming if the website has many pages using
this functionality. Allaire's Unofficial response to this bug:
"What are the chances that 5 people would simultaneously request
the same page?"
To further reduce the chance of successful attacker reconnaissance
in attempting such an attack, Allaire released Allaire Security
Bulletin (ASB00-03): Patch Available For Potential Information
Exposure By The CFCACHE Tag:
http://www.allaire.com/handlers/index.cfm?ID=13978&Method=Full
The Bulletin recommends ColdFusion customers use this patch to
relocate temporary cache files to a secure, non-web browser
accessible document directory. Without the information available
from a system where the patch and bulletin recommendations have
_not_ been implemented, the proposed exploit _must_ run a typical
denial of service attack in order to locate a ColdFusion template
that uses the <CFCACHE> tag.
However, obscuring this information won't do much good either,
because that really doesn't address the core issue of the
vulnerability of CFCACHE.