Vulnerability

    Cold Fusion Server

Affected

    Cold Fusion Server 4.5.1, Professional & Enterprise

Description

    Ryan Hill  posted following  (thanks are  due to  Patrick Keating,
    for his help diagnosing  and discovering this issue).   ColdFusion
    is a complete Web application server for developing and delivering
    scalable e-business  applications.   An included  component of the
    Cold Fusion Markup Language (CFML)  tag set includes a tag  called
    CFCACHE.   CFCACHE allows  you to  speed up  pages considerably in
    cases where the dynamic content doesn't need to be retrieved  each
    time a  user accesses  the page.  To accomplish  this, it  creates
    temporary  files  that  contain  the  static  HTML returned from a
    particular run of the ColdFusion page.

    It is  possible to  cause the  Cold Fusion  Server service to hang
    and stop  responding to  client requests  when requesting  a cache
    file  that  isn't  stored  in  memory  and  there are no available
    running thread request  slots available on  the server.   The Cold
    Fusion Server service  must be restarted  so that the  running and
    queued request threads can be cleared.

    CFCACHE uses a client thread request when creating temporary cache
    pages that will hang Cold Fusion Server if there are no  available
    execution thread  slots.   An example  of this  exploit using  the
    default  limit  of  5  simultaneous  requests  would  be to send 6
    simultaneous page requests to  a CFCACHE'd page which  hasn't been
    loaded  into  a  temporary  cache  file.   Using CFSTAT, a utility
    included with  Cold Fusion  Server, you  can clearly  see that the
    server has stopped  responding to client  requests with 5  threads
    running  in  the  active  thread  space  and 1 thread stuck in the
    queue.  The 5 active threads never timeout or exit and the  server
    never  recovers  from  this  hung  state.   The only way to regain
    control of the server is to restart the Cold Fusion Server service
    on the affected machines.

    The  severity  of  this  bug  is  fairly high considering that the
    exploit is  so simple  to perform  and does  not require malformed
    data, edited packets or any exploit programs to potentially  knock
    thousands of vulnerable Cold Fusion Servers off-line.

Solution

    No known patches, however, you have the choice of avoiding the use
    of  CFCACHE  or  a  possible  workaround  would  be to manually or
    programmatically  (spider)  CFCACHE  pages  so  that the temporary
    files are created under a  no-load situation.  Once the  temporary
    cache  pages  are  created,  this  vulnerability  is  no  longer a
    threat.  This  workaround is not  very practical however,  and can
    become very  time consuming  if the  website has  many pages using
    this functionality.   Allaire's Unofficial  response to  this bug:
    "What are the chances  that 5 people would  simultaneously request
    the same page?"

    To further reduce the chance of successful attacker reconnaissance
    in attempting  such an  attack, Allaire  released Allaire Security
    Bulletin  (ASB00-03):  Patch  Available  For Potential Information
    Exposure By The CFCACHE Tag:

        http://www.allaire.com/handlers/index.cfm?ID=13978&Method=Full

    The Bulletin  recommends ColdFusion  customers use  this patch  to
    relocate  temporary  cache  files  to  a  secure,  non-web browser
    accessible document directory.  Without the information  available
    from a system  where the patch  and bulletin recommendations  have
    _not_ been implemented, the proposed exploit _must_ run a  typical
    denial of service attack in order to locate a ColdFusion  template
    that uses the <CFCACHE> tag.

    However, obscuring  this information  won't do  much good  either,
    because  that  really  doesn't  address  the  core  issue  of  the
    vulnerability of CFCACHE.