Threat and Exposure Research
Top Trending CVEs of July 2023
- Jul 28, 2023
- Shawn Evans
July was a busy month for vulnerability research. We had the opportunity to be picky about our curated selection of critical risks to report. Good news for blog content, but less so for production networks. Researchers discovered that Adobe ColdFusion is still actively used in production environments and vulnerable to a deserialization vulnerability that results in remote command execution (RCE). Seriously, who is using ColdFusion in 2023? Citrix’s ShareFile platform was found to be vulnerable to a path traversal vulnerability that facilitated RCE, but only in non-standard deployments. On the hardware side of the spectrum, researchers discovered that AMD Zen2 CPUs are vulnerable to a memory dump vulnerability that could result in unintended disclosure of neat things like encryption keys and passwords. Finally, we cover a pre-authentication RCE vulnerability identified in the business intelligence software Metabase.
1. Adobe ColdFusion Deserialization RCE CVE-2023-29300
ColdFusion has the distinct honor of being the platform I targeted to achieve one of my first RCE exploits – that was more than fifteen years ago. It’s nice to hear some things don’t change. Researchers with Project Discovery identified a pre-authentication deserialization vulnerability that impacts the Web Distributed Data exchange (WDDX) component of ColdFusion. WDDX is an XML vocabulary for describing complex data structures in a standard, generic way. Exploiting this vulnerability requires the presence of a valid CFC (ColdFusion Component) endpoint, but attacks have been observed that leveraged an authentication bypass vulnerability (CVE-2023-29298) to exploit this vulnerability on locked down instances. The patch released by Adobe covered the authentication bypass vuln, but did not directly address the RCE vulnerability. Rather, a denylist was implemented to prevent the unauthorized loading of deserialized classes by WDDX. This patch feels like a short term solution.
In our opinion the patch implemented by Adobe is insufficient and has a strong likelihood of being bypassed. There’s too many classes to safely create a denylist to cover all threat scenarios. Our spidey sense tells us we’ll be revisiting this issue in August. Exploitation has been observed in the wild, but no public exploits have been released at the time this article was published.
| Severity | Complexity | CVSS Score |
| Critical | Low | 9.8 |
Systems Impacted:
| Product | Update number | Platform |
|---|---|---|
| ColdFusion 2018 | Update 16 and earlier versions | All |
| ColdFusion 2021 | Update 6 and earlier versions | All |
| ColdFusion 2023 | GA Release (2023.0.0.330468) | All |
Read more:
- https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html
- https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/
2. Citrix ShareFile Path Traversal and RCE CVE-2023-24489
Since we published this post in July, due to the critical nature of this vulnerability, we’ve escalated this CVE to a Celebrity Vulnerability status. You can find more information about this vulnerability in our expanded post covering- Just in Time Bulletin: CVE-2023-24489 Citrix ShareFile RCE. We recommend you prioritize this vulnerability for remediation ASAP to protect yourself from threat actors looking to exploit your system.
3. Zenbleed – AMD Zen2 Use-after-free CVE-2023-20593
This vulnerability is a deviation from the usual crop of software related issues and impacts the predictive branching in AMD Zen2 CPUs as it relates to 128 bit vector registers known as XMM. Suffice to say I’m no expert on hardware bugs, predictive branching, or assembler, but let’s dig into this one anyways and see if we come out learning a bit about op-codes and registers.
The XMM registers are used by a surprising number of standard C functions such as memcpy, strlen, strcmp. When using the vector registers there are various types, XMM (128 bit), YMM (256 bit), and ZMM (512 bit). These values have upper and lower components, and when calling a C function like strlen, the CPU instruction “vzeroupper” is called to zero out the upper vector registers. It does this by setting the z-bit, which is just a flag, and releasing any resources associated with the vector registers.
This all pretty standard as far as CPU operations go, but modern processors use what is called speculative execution. Speculative execution enables a CPU to execute instructions and store results that are not actually needed in an effort to minimize delays. If a situation is encountered where an instruction wasn’t needed the changes are reverted and results ignored.
So, going back to “vzeroupper”, what happens if a CPU speculatively executes this function and later decides that it wasn’t needed? Recall that “vzeroupper” is essentially like calling free(), where all values associated with a vector register are released. So the CPU would then go about attempting to revert to using a vector register that is no longer set, at least not by the calling CPU. It’s a use-after-free where they shouldn’t even exist! Neat! Researchers discovered that this could be weaponized by causing a situation that optimizes the mispredicted execution of “vzeroupper”. The end result is the ability to dump 30kb per CPU core per second of data, which can include passwords and encryption and anything else being processed by any CPU on the system. No privileged access required. This is a pretty wild and complex vulnerability. Proof of concept code is available.
Remotely identifying the CPU type of a system is as far as I know, impossible. It will be interesting to see if this works its way into malware targeting Linux systems. AMD has released a microcode update to address the vulnerability.
| Severity | Complexity | CVSS Score |
| Moderate | Moderate | 6.5 |
Systems/Applications Impacted:
- AMD Ryzen 3000 Series Processors
- AMD Ryzen PRO 3000 Series Processors
- AMD Ryzen Threadripper 3000 Series Processors
- AMD Ryzen 4000 Series Processors with Radeon Graphics
- AMD Ryzen PRO 4000 Series Processors
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7020 Series Processors with Radeon Graphics
- AMD EPYC “Rome” Processors
Read more:
- https://github.com/google/security-research/tree/master/pocs/cpus/zenbleed
- https://lock.cmpxchg8b.com/zenbleed.html
- https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=0bc3126c9cfa0b8c761483215c25382f831a7c6f
- https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
4. Metabase pre-authentication RCE CVE-2023-38646
Metabase is an open-source business intelligence platform used for data visualization, querying, and instrumentation. Researchers with Assetnote recently disclosed a vulnerability in Metabase that can result in pre-authentication RCE. The vulnerability was attributed to a commit made in January 2022 to the setup procedure. The minor change resulted in a one time use setup-token being persistently available after installation. The setup-token itself can be accessed by viewing the HTML source of the Metabase login page or via a request to “/api/session/properties.” Either of these operations are available to unauthenticated users.
With access to a setup-token, it’s possible for an attacker to leverage operations commonly performed during installation, which includes connecting the instance to a datasource. The Assetnote team observed that the setup flow included a validation step to verify connectivity to the datasource via “/api/setup/validate”. The “validate” endpoint accepts a JDBC URI to establish the connection. JDBC URIs are common targets for remote command execution, particularly H2 databases.
The most straightforward means of achieving RCE using H2 connection URIs was via the INIT parameter, which allows a remote RUNSCRIPT to be defined. The RUNSCRIPT allows a 3rd party to host a malicious SQL file that, when executed, creates a trigger that contains JavaScript that can execute something like ‘java.lang.Runtime.getRuntime().exec()”.
The Assetnote team eventually determined that Metabase had already considered this threat scenario and actively blocked URIs with the INIT parameter. After many hours of searching for alternative paths to RCE the team arrived at the TRACE_LEVEL_SYSTEM_OUT argument, which provided a means to stack SQL queries and attain pre-auth RCE.
It’s worth noting that the database used to achieve RCE was in an example H2 database included with the default installation of Metabase. Not only did this provide an out of the box path to RCE, it also meant the exploit would not result in the corruption of a production database. Metabase released a patch to address the vulnerability. If you happen to have a deployment installed before January 2022, you’re probably not vulnerable, but double check the version anyways.
| Severity | Complexity | CVSS Score |
| Critical | Low | 9.8 |
Systems/Applications Impacted:
- Version x.43 of Metabase or later is at risk
Read more:
- https://www.metabase.com/blog/security-advisory
- https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
- https://nvd.nist.gov/vuln/detail/CVE-2023-38646
- https://blog.calif.io/p/reproducing-cve-2023-38646-metabase
To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let our Unified VRM platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what NopSec’s Unified VRM can do in action watch this on-demand product tour.
