{"vuid":"VU#125331","idnumber":"125331","name":"Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs","keywords":null,"overview":"### Overview\r\nAdobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.\r\n\r\n### Description\r\n\r\nThe Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as `C:\\ColdFusion2021\\`. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.\r\n\r\n### Impact\r\nBy placing a specially-crafted DLL file in the ColdFusion installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable ColdFusion software installed. See [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001/) for more details.\r\n\r\n### Solution\r\n#### Use the Server Auto-Lockdown Installer\r\nBy default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the [ColdFusion Server Auto-Lockdown](https://helpx.adobe.com/coldfusion/user-guide.html/coldfusion/using/server-lockdown.ug.html) installer must be installed in addition to installing ColdFusion itself.\r\n\r\nMitigation steps will vary based on the version of ColdFusion being used:  \r\nColdFusion 2016: Apply the changes outlined in the [ColdFusion 2016 Lockdown Guide](https://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf).  \r\nColdFusion 2018: Run the [ColdFusion 2018 Auto-Lockdown installer](https://www.adobe.com/support/coldfusion/downloads.html#cf2018ldg) and ensure that it completes without error.  \r\nColdFusion 2021: Run the [ColdFusion 2021 Auto-Lockdown installer](https://www.adobe.com/support/coldfusion/downloads.html#cf2021ldg) and ensure that it completes without error.  \r\n\r\n\r\n### Acknowledgements\r\nThis vulnerability was reported by Will Dormann of the CERT/CC.\r\n\r\nThis document was written by Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://helpx.adobe.com/coldfusion/user-guide.html/coldfusion/using/server-lockdown.ug.html","https://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf","https://www.adobe.com/support/coldfusion/downloads.html#cf2018ldg","https://www.adobe.com/support/coldfusion/downloads.html#cf2021ldg"],"cveids":["CVE-2020-10145"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2021-02-01T20:51:02.822165Z","publicdate":"2021-02-01T20:51:02.619453Z","datefirstpublished":"2021-02-01T20:51:02.838514Z","dateupdated":"2021-02-01T20:51:02.619444Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":37}