Magento software

Patched Adobe Commerce, Magento last week? patch again

Application Security, Governance and Risk Management, Incident and Breach Response

As POC exploit emerges for recently fixed bug, Adobe’s Issues Update

Mihir Bagwe •
February 21, 2022

Image source: Adobe

On February 13, Adobe patched a critical vulnerability, tracked as CVE-2022-24086, which affected its Commerce and Magento platforms. But a proof-of-concept exploit for the patch resulted in another out-of-band patch update from Adobe for CVE-2022-24087.

See also: Live webinar tomorrow | Advocacy for managed endpoint detection and response

Adobe credited security researchers Eboda and Blaklis of cybersecurity firm Bugscale SA with finding the bugs. In a tweet, Blaklis urges users to apply the latest patch, as the first patch is not enough on its own.

In a report, security researchers from Positive Technologies who formulated a POC exploit for the vulnerability described the issue as critical and urged users to immediately apply the latest patch.

Vulnerabilities

The vulnerabilities, which both fall under the category of “bad input validation,” have an identical CVSS Base Score of 9.8, according to Adobe’s security advisory.

Blaklis, aka Daniel Le Gall, tells Information Security Media Group that CVE-2022-24086 allows an attacker to use the template system to trigger the execution of arbitrary code on the Magento instance. CVE-2022-24087, he says, is a workaround of the initial patch provided by Magento which reintroduces the same behavior even with the patch applied.

Blaklis states: “CVE-2022-24087 is a re-exploit of CVE-2022-24086 which exploits the fact that the initial patch was not sufficient. We found it easily once we had an initial exploit for CVE- 2022-24086, which makes it important to both of them.”

He says if anyone has the exploit for CVE-2022-24086 they should be able to find the workaround and get the command executed again with CVE-2022-24087. “It took us 30 minutes to bypass the patch once we had the exploit for the initial vulnerability, with not one but two different methods,” Blacklis explains.

He did not name the two different methods used, saying he would give people enough time to fix before releasing details about CVE-2022-24087 publicly.

Because CVE-2022-24087 carries the same risks as CVE-2022-24086 – which has been exploited in the wild – Adobe has assigned both vulnerabilities the highest patch priority rating. It recommends that users and administrators install updates within 72 hours of their release.

In the initial update, Adobe stated that CVE-2022-24086 was lightly exploited in the wild, and the company says it is not aware of any active exploitation of CVE-2022-24087 in the wild.

Affected Versions

The versions of Adobe Commerce and Magento Open Source affected by the vulnerabilities are:

  • Adobe Commerce – 2.4.3-p1 and earlier;
  • Adobe Commerce – 2.3.7-p2 and earlier;
  • Magento Open Source – 2.4.3-p1 and earlier;
  • Magento Open Source – 2.3.7-p2.

Versions 2.3.0 through 2.3.3 of both apps are unaffected, Adobe says.

Fixes

Adobe recommends that customers apply both patches in the following order:

  1. Patch MDVA-43395 for CVE-2022-24086;
  2. Patch MDVA-43443 for CVE-2022-24087.

Here are the specific fixes for the respective Adobe Commerce and Magento Open Source versions:

2.4.3 – 2.4.3-p1

Adobe Commerce

  1. MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip;
  2. MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip.

Magento Open Source

  1. MDVA-43395_EE_2.4.3-p1_v1.patch.zip;
  2. MDVA-43443_EE_2.4.3-p1_v1.patch.zip


2.3.4-p2 – 2.4.2-p2

Adobe Commerce

  1. MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip;
  2. MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip.

Magento Open Source

  1. MDVA-43395_EE_2.4.3-p1_v1.patch.zip;
  2. MDVA-43443_EE_2.4.2-p2_v1.patch.zip.


2.3.3-p1 – 2.3.4

Adobe Commerce

  1. MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip;
  2. MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip.

Magento Open Source

  1. MDVA-43395_EE_2.4.3-p1_v1.patch.zip;
  2. MDVA-43443_EE_2.3.4_v1.patch.zip.


Blaklis tells ISMG that Adobe has done its best to contact its Commerce customers at this time, and people running it should be aware of the flaw, but open source users are not. In what he calls a “wild guess,” Blaklis claims that users of open source versions will be the most affected.

Deprecated Magento Violation

At the beginning of February, Sansec researchers detected a data breach in more than 500 stores using the Magento 1 e-commerce platform. The platform had officially reached its end of support from Adobe on June 30, 2020 (see: Massive breach hits 500 e-commerce sites).

The attackers used a combination of SQL injection and PHP object injection attacks to take over Magento stores, the researchers said. They also discovered that the attacker left no less than 19 backdoors on the system.

In September 2020, Sanguine Security researchers warned of a similar problem. At the time, 2,000 sites that used the 12-year-old Magento 1 e-commerce platform were targeted by JavaScript skimmers designed to steal payment card data during the online checkout process (see : Payment card skimming affects 2,000 e-commerce sites).

A Shodan search by ISMG shows that more than 20,000 sites still rely on the 12-year-old version of Magento 1.

Need behavior-based detection

Kunal Modasiya, Senior Director of Product Management at PerimeterX, told ISMG that given the ongoing issues with outdated versions of the Magento platform, motivated adversaries and malicious attackers are coming up with hard-to-detect exploits for users. traditional rule-based detection systems. Therefore, he says, it is essential that e-commerce businesses receive real-time alert notifications for vulnerabilities in a website’s JavaScript code, including third-party code, and for any suspicious JavaScript activity.

“They should use behavior-based detection solutions that quickly isolate any third-party library changes that may be causing the payment card data leak and quickly mitigate the risk by removing or updating the third-party library that includes patches. for vulnerabilities, which will help prevent further PCI data leaks,” says Modasiya.