Magento users should patch their systems to the fixed versions 2.3.1, 2.2.8 and 2.1.17
immediately due to multiple severe vulnerabilities disclosed in Magento on March 26, 2019.
Earlier this week, Magento released details on more than 30 vulnerabilities affecting Magento versions 2.0 and up. Among the vulnerabilities is an unauthenticated SQL Injection vector, which has been listed as critical by Magento. A proof of concept exploit has been published, and the vulnerability is being actively exploited in the wild. The public exploit appears to steal the administrator's session ID, allowing an attacker to authenticate as the administrator to the impacted site. Also, since the vulnerability is a SQL injection vulnerability, an attacker can read, write and otherwise modify the victim's database. To determine if you've been targeted in an attack, you should examine your web server's access logs for the following:
The SQL injection attack attempts are directed against the following paths:
This vulnerability can be exploited via GET and POST requests; attacks via POST request may be less obvious as they appear in your log files since the SQL injection string contained in the POST body isn't being logged.
Magento users should apply patches immediately. Akamai Kona WAF customers should ensure that SQL injection rules are set to Deny.
With multiple severe vulnerabilities such as these, the best course of action is to apply the vendor recommended patches as soon as possible. It is also recommended that the system administrator examine their logs for possible indicators of compromise as this vulnerability is being exploited on an increasingly more widespread scale. With many recent reports of card skimming by groups like Magecart, we anticipate that this vulnerability may be utilized in those types of attacks. This can be especially dangerous as system compromise isn't always entirely obvious, but successful infection of the card skimmer code can be quite damaging.