Critical Flaws in Magento e-Commerce Platform Allow Code-Execution

magento 2.3.4 update

Admins are encouraged to update their websites to stave off attacks from Magecart card-skimmers and others.

Critical vulnerabilities in Adobe’s Magento e-commerce platform – a favorite target of the Magecart cybergang – could lead to arbitrary code execution.

Adobe issued patches on Tuesday as part of its overall release of the Magento 2.3.4 upgrade, giving the fixes a “priority 2” rating. In Adobe parlance, priority 2 means that administrators should apply the updates within 30 days.

Out of the flaws, Adobe has fixed three that it rates as critical in severity, meaning that successful exploits could “allow malicious native code to execute, potentially without a user being aware.”

Two of these could allow arbitrary code execution: CVE-2020-3716 is a deserialization of untrusted data flaw; and CVE-2020-3718 is a security bypass issue.

The bug tracked as CVE-2020-3719 meanwhile would allow SQL injection if successfully exploited. SQL injection attacks occur when a website developer doesn’t sanitize user-supplied data, which can lead to arbitrary reading and writing of data used within a web application. An attacker can take advantage by sending a malicious search query in the search box of a website.

Adobe also patched a handful of bugs that it rates “important” in severity – defined as issues that could allow “access to confidential data, or could compromise processing resources in a user’s computer.”

These include CVE-2020-3715 and CVE-2020-3758, stored cross-site scripting (XSS) flaws that could allow sensitive information disclosure. XSS bugs are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. If the browser doesn’t validate the script and executes it, the script can access cookies, session tokens or other sensitive information retained by the browser.

Meanwhile, the flaw tracked as CVE-2020-3717 is a path-traversal vulnerability that also could lead to sensitive information disclosure.

The updates are likely of interest to Magecart groups, who will look to exploit the flaws ahead of administrators applying the patches. Magecart is an umbrella term encompassing several different threat groups who typically use the same modus operandi. They compromise websites by exploiting vulnerabilities in third-party e-commerce platforms, in order to inject card-skimming scripts on checkout pages. Magento is one of Magecart’s most-targeted platforms.

SQL injection bugs for instance have been successfully used by Magecart groups in their efforts before. An attack last year against Magento 2 (mounted within 16 hours of the flaw being disclosed) exploited an SQL injection bug to steal administrative console credentials by dumping the contents of the admin_user database table. These credentials were then used to log into the Magento dashboard and add the Magecart malware to the targeted website.

Cross-Site Scripting (XSS) flaws are another common attack vector against websites. Magecart used a form of XSS attacks during the Newegg breach, for example.

“Magecart is a simple bit of code that is sophisticatedly injected into websites to steal credit-card information and most of the time unknowing to the website organization,” said James McQuiggan, security awareness advocate at KnowBe4, via email. “It is important for organizations that use e-commerce websites with third-party connections or plugins to verify that they are up to date with all known patches and software. Organizations will want to restrict third-party vendors’ access to sensitive data, like credit-card data, names and home address. Having a robust third-party policy to restrict external access to sensitive information and only allowing verified code or scripts to be executed can greatly reduce exposure.”

The versions impacted by the latest slew of bugs are Magento Commerce and Open Source, 2.2.10 and earlier versions and 2.3.3 and earlier versions; Magento Enterprise Edition 1.14.4.3 and earlier versions; and Magento Community Edition, 1.9.4.3 and earlier versions. Users should update to version 2.3.4 to address the problems.

Adobe gave white-hats Ernesto Martin, Blaklis, Luke Rodgers and Djordje Marjanovic credit for the various bugs’ discovery.

Suggested articles

Discussion

  • Ben on

    It should be noted that several things that would have helped reduce the impact of the Newegg security breach still are not used on the Newegg check-out web page. They enable "x-xss-protection" but do not enable the stronger "mode=block" setting. They have a content-security-policy but never use it to restrict which sites can be use by the web page to download javascript from or which sites the web page can be the target for uploading form data. They also have a report-to setting but currently that is only used by the chrome browser. The report-uri setting required for firefox, edge and safari is not supplied. What they do have instead of practical technical security changes to the check-out process is the same "SecureTrust(TM)" seal from TrustWave(R) as they had during the breach. Clicking on the seal states in easily readable blue text "Your credit card and identity information are secure." Later in light grey it is stated that "Disclaimer: Trustwave Holdings, Inc. makes no representation or warranty as to whether NewEgg.com systems are secure from either an internal or external attack or whether cardholder data is at risk of being compromised." So what does the statement that credit card and identity information is "secure" mean if it is not actually a representation as to if the systems are secure??

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.