New versions (2.3.1, 2.2.8 and 2.1.17) of the Magento ecommerce platform were released last week with patches for dozens of vulnerabilities, including critical remote code execution and SQL injection flaws.
The most important of the bugs is an SQL injection impacting Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, and Magento 2.3 prior to 2.3.1.
By exploiting the vulnerability, an unauthenticated attacker could execute arbitrary code, which could result in sensitive data leakage, Magento explains.
The vulnerability is very easy to exploit and users are advised to apply the newly released patch as soon as possible, to prevent compromise. They can verify if they were targeted via this bug by checking the access_log file for multiple hits to /catalog/product/frontend_action_synchronize.
The security flaw can be exploited to read any information from the database, meaning that an attacker can extract admin sessions or password hashes and use them to access the backend, the researchers at Ambionics Security reveal.
The vulnerability “can be exploited without any pre-conditions, being sufficient to steal the entire database and likely take control over the vulnerable website and web server. Sophisticated malware infections may plague gutted websites once all valuable data is stolen,” High-Tech Bridge’s CEO Ilia Kolochenko told SecurityWeek in an emailed comment.
“Magento is mostly used on trusted e-commerce websites and thus opens a door to a great wealth of sensitive PII including valid credit cards details,” Kolochenko said.
Impacting Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, and Magento 2.3 prior to 2.3.1, another critical flaw allows an authenticated user to execute arbitrary code through crafted newsletter or email template code.
Another critical remote code execution addressed this month could be exploited by an authenticated user with administrative privileges through email templates.
Also affecting Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, and Magento 2.3 prior to 2.3.1, the fourth critical bug is an SQL Injection and cross-site scripting vulnerability in Catalog section (XSS).
“An authenticated user can embed malicious code through a stored cross-site scripting vulnerability or an SQL injection vulnerability in the Catalog section by manipulating attribute_code,” Magento explains.
This week, Magento addressed other important remote code execution vulnerabilities as well, along with information disclosure, Cross Site Scripting, privilege escalation, privilege escalation and enumeration, and Cross Site Request Forgery flaws.
“All Magento website owners should urgently update their systems and check the web server and all other available logs for IoC (indicator of compromise). In case of a merest suspicion, detailed forensics should be conducted to determine whether the system was breached. These days, cybercriminals know how to cover their tracks, however, they may unwittingly suppress too much evidence and thereby expose their presence,” Kolochenko said.
Related: Magecart Hackers Now Targeting Vulnerable Magento Extensions
Related: Hacked Magento Sites Steal Card Data, Spread Malware