Cybercriminals are reportedly exploiting a critical flaw in the Magento e-commerce platform only days after it was made public by the researchers who discovered it.
Scoring a 9.0 on CVSS, the bug doesn’t yet have a CVE number to identify it but Magento refers to its patching list as PRODSECBUG-2198 (the number being the important bit).
It’s an SQL injection flaw which can be exploited with no authentication or privileges, which is why for admins tending sites using Magento it’s a stop what you’re doing and patch this now situation.
That’s not difficult as the Adobe-owned Magento patched this among several dozen other security flaws as part of a security update published last week. The affected versions are:
- Version 1 before 2.1.17
- Version 2.2 before 2.8,
- Version 2.3 before 3.1
- Magento Open Source before 9.4.1
- Magento Commerce before 14.4.1
The patch for 2198 can be installed on its own but, ideally, sites should install the whole update. From Magento’s announcement:
To protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.
Among a total of 37 flaws covering Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS), there’s also a serious (CVSS 9.8) Remote Code Execution (RCE) flaw identified as PRODSECBUG-2192 deserving careful attention.
Devil take the hindmost
What of the attacks on Magento sites? This part of the story began on 25 March when little-known French Pentesting company Ambionics Security (which also revealed so-called Carpe Diem bug in Apache this week) tweeted the following:
Tomorrow, #Magento releases a patch for an unauthenticated #SQLi and #RCE we reported a few months ago. We'll describe the vulnerabilities, and how they can be exploited, in our next blog post. Patch your systems ! pic.twitter.com/aGnZ2m4Zbu
— Ambionics Security (@ambionics) March 25, 2019
True to its word, on 29 March, Ambionics published a blog looking at 2198 in more detail, including that it was paid a bounty by Magento for responsibly disclosing it last November.
The blog included a GitHub link to proof-of-concept (POC) exploit code without making it clear who developed this.
On the same day, Elgentos Ecommerce CTO Pete Jaap Blaakmeer tweeted that he’d noticed attacks based on the POC for 2198:
Magento devs, if you haven't patched already, do it ASAP. We've already seen attempts at two of our shops using the published POC. We're safe because we already patched every shop on Wednesday. https://t.co/5nZjMGBEUu
— Peter Jaap Blaakmeer (@PeterJaap) March 29, 2019
Separately, Blaakmeer confirmed this to a journalist.
Researchers making POC code public so soon after a patch becomes available is not unheard of but it’s contentious because it puts sites under huge pressure to update.
The other way of looking at this is to say that Magento admins should simply adjust themselves to the need to apply security updates as a major priority, in a matter of hours.
It’s not as if there haven’t been warnings that Magento and other platforms are being targeted.
Last August, the MagentoCore card skimming malware was discovered on thousands of Magento sites, some of which looked as if they’d been infected for months.
More recently, a report emerged that Magento sites were being used to test leaked credit cards using zero dollar transactions to see which might be vulnerable to fraud.
Leave a Reply