ColdFusion hack used to steal hosting provider’s customer data

[Erica Absetz <erica () riskbasedsecurity com>]

http://arstechnica.com/security/2013/04/coldfusion-hack-used-to-steal-hosting-providers-customer-data/

A vulnerability in the ColdFusion Web server platform, reported by
Adobe less than a week ago, has apparently been in the wild for almost
a month and has allowed the hacking of at least one company website,
exposing customer data. Yesterday, it was revealed that the virtual
server hosting company Linode had been the victim of a multi-day
breach that allowed hackers to gain access to customer records.

The breach was made possible by a vulnerability in Adobe's ColdFusion
server platform that could, according to Adobe, "be exploited to
impersonate an authenticated user." A patch had been issued for the
vulnerability on April 9 and was rated as priority "2" and
"important." Those ratings placed it at a step down from the most
critical, indicating that there were no known exploits at the time the
patch was issued but that data was at risk. Adobe credited "an
anonymous security researcher," with discovering the vulnerability.

But according to IRC conversation including one of the alleged hackers
of the site, Linode's site had been compromised for weeks before its
discovery. That revelation leaves open the possibility that other
ColdFusion sites have been compromised as hackers sought out targets
to use the exploit on.

ColdFusion is a Java-based Web server platform that interprets its own
proprietary markup language in page code to access server-side
application components and data. It has had a large installed base in
the government sector and other markets, but its market share has been
in decline for some time, and the technology has seen little change
since 2009. In 2011, Adobe announced it was moving the whole of
ColdFusion development to India.

The element attacked is its user authentication component, cflogin. In
March, a ColdFusion user reported encountering errors in cflogin he
believed were because of attempted hack attacks. "I've now seen
cflogin throw an error twice now with bad input at—I believe—the
cookie level," he reportedto Adobe's bug tracker.

By exploiting the login vulnerability, the hackers were able to gain
access to the Linode server itself and to the site's code. Through the
code, they were able to obtain the login credentials to Linode's
database and stole customer data that included hashed passwords,
encrypted credit card data, and the unencrypted last four digits of
credit cards used for verification purposes. Customer keys for
Linode's deployment and management APIs were also exposed.

Linode has expired those keys and is re-issuing them. Linode
representatives said in a blog post that it has "no evidence decrypted
credit card numbers were obtained" and added that the encryption key
for credit card data was not stored on the server and was "not
guessable, sufficiently long and complex, not based on dictionary
words, and not stored anywhere but in our heads."

Ars has contacted Linode for comment on the breach, but a spokesperson
said it may be several days before the company will respond with
further information.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.