Application Security , Governance & Risk Management , Incident & Breach Response

Patched Adobe Commerce, Magento Last Week? Patch Again

As POC Exploit Emerges for Recently Patched Bug, Adobe Issues Update
Patched Adobe Commerce, Magento Last Week? Patch Again
Image Source: Adobe

On Feb. 13, Adobe patched a critical vulnerability, tracked as CVE-2022-24086, that affected its Commerce and Magento platforms. But a proof-of-concept exploit for the patch has resulted in yet another out-of-band patch update from Adobe for CVE-2022-24087.

See Also: Preventing Attacker Access to Legacy and other Untouchable Systems

Adobe has credited security researchers Eboda and Blaklis of cybersecurity firm Bugscale SA with finding these bugs. In a tweet, Blaklis urges users to apply the latest fix, as the first patch is not sufficient on its own.

In a report, security researchers from Positive Technologies who formulated a POC exploit for the vulnerability describe the issue as critical and have urged users to apply the latest hotfix immediately.

The Vulnerabilities

The vulnerabilities, both of which fall under the "improper input validation" category, have an identical CVSS base score of 9.8, according to Adobe's security advisory.

Blaklis, aka Daniel Le Gall, tells Information Security Media Group that CVE-2022-24086 allows an attacker to use the templating system to trigger arbitrary code execution on the Magento instance. CVE-2022-24087, he says, is a bypass of the initial fix provided by Magento that reintroduces the same behavior, even with the fix applied.

Blaklis says: "CVE-2022-24087 is a re-exploitation of CVE-2022-24086 that exploits the fact that the initial patch wasn't sufficient. We found it easily once we had an initial exploit for CVE-2022-24086, which makes it important to them both."

He says that if someone has the exploit for CVE-2022-24086, they should be able to find the bypass and get command execution again with CVE-2022-24087. "It took us 30 minutes to bypass the patch once we had the exploit for the initial vulnerability, with not just one but two different methods," Blacklis says.

He did not name the two different methods used, saying he would give people enough time to patch before publicly disclosing any details on CVE-2022-24087.

As CVE-2022-24087 carries the same risks as CVE-2022-24086 - which has been exploited in the wild - Adobe has assigned both the vulnerabilities the highest patch priority rating. It recommends that users and admins install the updates within 72 hours of their release.

In the initial update, Adobe said that CVE-2022-24086 was sparsely exploited in the wild, and the company says that it is unaware of any active exploitation of CVE-2022-24087 in the wild.

Affected Versions

The versions of Adobe Commerce and Magento Open Source affected by the vulnerabilities are:

  • Adobe Commerce - 2.4.3-p1 and earlier;
  • Adobe Commerce - 2.3.7-p2 and earlier;
  • Magento Open Source - 2.4.3-p1 and earlier;
  • Magento Open Source - 2.3.7-p2.

Versions 2.3.0 to 2.3.3 of both apps are not affected, Adobe says.

Patches

Adobe recommends that customers apply both patches in the following order:

  1. MDVA-43395 patch for CVE-2022-24086;
  2. MDVA-43443 patch for CVE-2022-24087.

Here are the specific patches for the respective Adobe Commerce and Magento Open Source versions:

2.4.3 - 2.4.3-p1

Adobe Commerce
  1. MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip;
  2. MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip.
Magento Open Source
  1. MDVA-43395_EE_2.4.3-p1_v1.patch.zip;
  2. MDVA-43443_EE_2.4.3-p1_v1.patch.zip

2.3.4-p2 - 2.4.2-p2

Adobe Commerce
  1. MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip;
  2. MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip.
Magento Open Source
  1. MDVA-43395_EE_2.4.3-p1_v1.patch.zip;
  2. MDVA-43443_EE_2.4.2-p2_v1.patch.zip.

2.3.3-p1 - 2.3.4

Adobe Commerce
  1. MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip;
  2. MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip.
Magento Open Source
  1. MDVA-43395_EE_2.4.3-p1_v1.patch.zip;
  2. MDVA-43443_EE_2.3.4_v1.patch.zip.

Blaklis tells ISMG that Adobe has done its best to contact its Commerce customers for now, and people running it should be aware of the flaw, but that is not the case for open-source users. In what he calls a "wild guess," Blaklis says users of the open-source versions will be the most affected.

Outdated Magento Breach

In early February, Sansec's researchers detected a data breach at more than 500 stores using the Magento 1 e-commerce platform. The platform had officially reached its end of support from Adobe on June 30, 2020 (see: Massive Breach Hits 500 E-Commerce Sites).

The attackers used a combination of an SQL injection and PHP Object Injection attack to gain control of the Magento stores, the researchers said. They also found that the attacker had left no less than 19 backdoors on the system.

In September 2020, Sanguine Security researchers warned about a similar issue. At the time, 2,000 sites that used the 12-year-old Magento 1 e-commerce platform had been targeted by JavaScript skimmers designed to steal payment card data during the online checkout process (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).

A Shodan search by ISMG shows that more than 20,000 sites still rely on the 12-year-old version of Magento 1.

Need for Behavioral-Based Detection

Kunal Modasiya, senior director of product management at PerimeterX, tells ISMG that given the continued issues with outdated versions of the Magento platform, motivated adversaries and threat attackers are coming up with exploits that are hard for traditional rule-based detection systems to detect. As a result, he says, it is critical that e-commerce companies get real-time alert notifications for vulnerabilities in a website's JavaScript code, including third-party code, and for any suspicious JavaScript activity.

"They should employ behavioral-based detection solutions that quickly isolate any third-party library changes that may cause the leak of payment card data and quickly mitigate the risk by removing or updating the third-party library that includes fixes for vulnerabilities, which will help prevent further PCI data leaks," Modasiya says.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.