Application Security, Governance and Risk Management, Incident and Breach Response
As POC exploit emerges for recently fixed bug, Adobe’s Issues Update
Mihir Bagwe •
February 21, 2022
On February 13, Adobe patched a critical vulnerability, tracked as CVE-2022-24086, which affected its Commerce and Magento platforms. But a proof-of-concept exploit for the patch resulted in another out-of-band patch update from Adobe for CVE-2022-24087.
See also: Live webinar tomorrow | Advocacy for managed endpoint detection and response
Adobe credited security researchers Eboda and Blaklis of cybersecurity firm Bugscale SA with finding the bugs. In a tweet, Blaklis urges users to apply the latest patch, as the first patch is not enough on its own.
A new patch has been released for Magento 2, to mitigate pre-authenticated remote code execution. If you patched with the first patch, IT IS NOT SUFFICIENT to be sure.
Please update again! https://t.co/vtYj9Ic6ds@ptswarm (as you had a PoC too!)#magento
— Blaklis (@Blaklis_) February 17, 2022
In a report, security researchers from Positive Technologies who formulated a POC exploit for the vulnerability described the issue as critical and urged users to immediately apply the latest patch.
⚡️We successfully bypassed the patch for RCE in Magento Open Source and Adobe Commerce (CVE-2022-24086), and sent the report to Adobe (we weren’t the first). New CVE-2022-24087 has been released. The fix is now available.
Patch ASAP! https://t.co/G6j7nGkld9
— PT SWARM (@ptswarm) February 18, 2022
The vulnerabilities, which both fall under the category of “bad input validation,” have an identical CVSS Base Score of 9.8, according to Adobe’s security advisory.
Blaklis, aka Daniel Le Gall, tells Information Security Media Group that CVE-2022-24086 allows an attacker to use the template system to trigger the execution of arbitrary code on the Magento instance. CVE-2022-24087, he says, is a workaround of the initial patch provided by Magento which reintroduces the same behavior even with the patch applied.
Blaklis states: “CVE-2022-24087 is a re-exploit of CVE-2022-24086 which exploits the fact that the initial patch was not sufficient. We found it easily once we had an initial exploit for CVE- 2022-24086, which makes it important to both of them.”
He says if anyone has the exploit for CVE-2022-24086 they should be able to find the workaround and get the command executed again with CVE-2022-24087. “It took us 30 minutes to bypass the patch once we had the exploit for the initial vulnerability, with not one but two different methods,” Blacklis explains.
He did not name the two different methods used, saying he would give people enough time to fix before releasing details about CVE-2022-24087 publicly.
Because CVE-2022-24087 carries the same risks as CVE-2022-24086 – which has been exploited in the wild – Adobe has assigned both vulnerabilities the highest patch priority rating. It recommends that users and administrators install updates within 72 hours of their release.
In the initial update, Adobe stated that CVE-2022-24086 was lightly exploited in the wild, and the company says it is not aware of any active exploitation of CVE-2022-24087 in the wild.
The versions of Adobe Commerce and Magento Open Source affected by the vulnerabilities are:
- Adobe Commerce – 2.4.3-p1 and earlier;
- Adobe Commerce – 2.3.7-p2 and earlier;
- Magento Open Source – 2.4.3-p1 and earlier;
- Magento Open Source – 2.3.7-p2.
Versions 2.3.0 through 2.3.3 of both apps are unaffected, Adobe says.
Adobe recommends that customers apply both patches in the following order:
- Patch MDVA-43395 for CVE-2022-24086;
- Patch MDVA-43443 for CVE-2022-24087.
Here are the specific fixes for the respective Adobe Commerce and Magento Open Source versions:
2.4.3 – 2.4.3-p1
Magento Open Source
2.3.4-p2 – 2.4.2-p2
Magento Open Source
2.3.3-p1 – 2.3.4
Magento Open Source
Blaklis tells ISMG that Adobe has done its best to contact its Commerce customers at this time, and people running it should be aware of the flaw, but open source users are not. In what he calls a “wild guess,” Blaklis claims that users of open source versions will be the most affected.
Deprecated Magento Violation
At the beginning of February, Sansec researchers detected a data breach in more than 500 stores using the Magento 1 e-commerce platform. The platform had officially reached its end of support from Adobe on June 30, 2020 (see: Massive breach hits 500 e-commerce sites).
The attackers used a combination of SQL injection and PHP object injection attacks to take over Magento stores, the researchers said. They also discovered that the attacker left no less than 19 backdoors on the system.
A Shodan search by ISMG shows that more than 20,000 sites still rely on the 12-year-old version of Magento 1.
Need behavior-based detection
“They should use behavior-based detection solutions that quickly isolate any third-party library changes that may be causing the payment card data leak and quickly mitigate the risk by removing or updating the third-party library that includes patches. for vulnerabilities, which will help prevent further PCI data leaks,” says Modasiya.