The popular e-commerce platform Magento is urging web administrators to install its latest security update in order to defend against malicious attacks in the wild that could exploit a critical remote code-execution vulnerability.
While the company didn’t specify what kinds of potential attacks that websites should be concerned about (Threatpost reached out for comment on this), Magento is a common target for the Magecart association of threat groups, which compromise websites built on unpatched e-commerce platforms in order to inject card-skimming scripts on checkout pages. The scripts steal unsuspecting customers’ payment card details and other information entered into the fields on the page.
The vulnerability (CVE-2019-8144), which carries a severity ranking of 10 out of 10 on the CVSS v.3 scale, could enable an unauthenticated user to insert a malicious payload into a merchant’s site through Page Builder template methods, and execute it. Page Builder allows websites to design content updates, preview them live and schedule them to be published. The bug specifically exists in the preview function.
The flaw affects Magento 2.3, and was patched in in Magento Commerce 2.3.3 and with the security-only patch 2.3.2-p2, released in October. The company warned that patching will have the side effect of “blocking administrators from viewing previews for products, blocks and dynamic blocks’; but, it said it will re-enable the preview functionality as soon as possible.
“We recommend that all merchants, even those who have already upgraded to 2.3.3 or applied security-only patch 2.3.2-p2, review the security of their Magento site to confirm that it was not potentially compromised before upgrade,” Piotr Kaminski of the Magento security team wrote in a posting on Monday. “Applying this hot fix or upgrading…will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack.”
The same update patches several other critical emote-execution flaws with a CVSS v.3 score of 9 and above, as well as cross-site scripting (CSS) issues.
The warning comes as Magecart activity and infrastructure continues to saturate the web. According to analysis from RiskIQ last month, there are now 573 known command-and-control (C2) domains for the group, with close to 10,000 hosts actively loading those domains. In all, RiskIQ has detected almost 2 million (2,086,529) instances of Magecart’s javaScript binaries, with over 18,000 e-commerce hosts directly breached.
“It is unfortunate that this kind of attack is still succeeding even though a mitigation is quite straightforward,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, via email. “As a last resort, website owners should periodically check the integrity of their script code, which can be as simple as calculating a checksum every few minutes to look for an unexpected change.”
What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.