Akamai Diversity

Akamai Security Intelligence & Threat Research

SIRT Advisory: Multiple Vulnerabilities in Magento

Summary

Magento users should patch their systems to the fixed versions 2.3.1, 2.2.8 and 2.1.17

immediately due to multiple severe vulnerabilities disclosed in Magento on March 26, 2019.

Details

Earlier this week, Magento released details on more than 30 vulnerabilities affecting Magento versions 2.0 and up. Among the vulnerabilities is an unauthenticated SQL Injection vector, which has been listed as critical by Magento. A proof of concept exploit has been published, and the vulnerability is being actively exploited in the wild. The public exploit appears to steal the administrator's session ID, allowing an attacker to authenticate as the administrator to the impacted site. Also, since the vulnerability is a SQL injection vulnerability, an attacker can read, write and otherwise modify the victim's database. To determine if you've been targeted in an attack, you should examine your web server's access logs for the following:

The SQL injection attack attempts are directed against the following paths:

  • /catalog/product_frontend_action/synchronize

  • /catalog/product_frontend_action_synchronize

This vulnerability can be exploited via GET and POST requests; attacks via POST request may be less obvious as they appear in your log files since the SQL injection string contained in the POST body isn't being logged.

Recommendations

Magento users should apply patches immediately. Akamai Kona WAF customers should ensure that SQL injection rules are set to Deny.

Conclusion

With multiple severe vulnerabilities such as these, the best course of action is to apply the vendor recommended patches as soon as possible. It is also recommended that the system administrator examine their logs for possible indicators of compromise as this vulnerability is being exploited on an increasingly more widespread scale. With many recent reports of card skimming by groups like Magecart, we anticipate that this vulnerability may be utilized in those types of attacks. This can be especially dangerous as system compromise isn't always entirely obvious, but successful infection of the card skimmer code can be quite damaging.

 

References

https://magento.com/security/patches/supee-11086

https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update

Leave a comment