Application Security , Governance & Risk Management , Incident & Breach Response
Patched Adobe Commerce, Magento Last Week? Patch Again
As POC Exploit Emerges for Recently Patched Bug, Adobe Issues UpdateOn Feb. 13, Adobe patched a critical vulnerability, tracked as CVE-2022-24086, that affected its Commerce and Magento platforms. But a proof-of-concept exploit for the patch has resulted in yet another out-of-band patch update from Adobe for CVE-2022-24087.
See Also: Gartner Guide for Digital Forensics and Incident Response
Adobe has credited security researchers Eboda and Blaklis of cybersecurity firm Bugscale SA with finding these bugs. In a tweet, Blaklis urges users to apply the latest fix, as the first patch is not sufficient on its own.
A new patch have been published for Magento 2, to mitigate the pre-authenticated remote code execution. If you patched with the first patch, THIS IS NOT SUFFICIENT to be safe.
— Blaklis (@Blaklis_) February 17, 2022
Please update again!https://t.co/vtYj9Ic6ds@ptswarm (as you had a PoC too!)#magento
In a report, security researchers from Positive Technologies who formulated a POC exploit for the vulnerability describe the issue as critical and have urged users to apply the latest hotfix immediately.
⚡️We have successfully bypassed the patch for RCE in Magento Open Source and Adobe Commerce (CVE-2022-24086), and have sent the report to Adobe (we weren't the first). The new CVE-2022-24087 was issued. Hotfix is available now.
— PT SWARM (@ptswarm) February 18, 2022
Patch ASAP! https://t.co/G6j7nGkld9
The Vulnerabilities
The vulnerabilities, both of which fall under the "improper input validation" category, have an identical CVSS base score of 9.8, according to Adobe's security advisory.
Blaklis, aka Daniel Le Gall, tells Information Security Media Group that CVE-2022-24086 allows an attacker to use the templating system to trigger arbitrary code execution on the Magento instance. CVE-2022-24087, he says, is a bypass of the initial fix provided by Magento that reintroduces the same behavior, even with the fix applied.
Blaklis says: "CVE-2022-24087 is a re-exploitation of CVE-2022-24086 that exploits the fact that the initial patch wasn't sufficient. We found it easily once we had an initial exploit for CVE-2022-24086, which makes it important to them both."
He says that if someone has the exploit for CVE-2022-24086, they should be able to find the bypass and get command execution again with CVE-2022-24087. "It took us 30 minutes to bypass the patch once we had the exploit for the initial vulnerability, with not just one but two different methods," Blacklis says.
He did not name the two different methods used, saying he would give people enough time to patch before publicly disclosing any details on CVE-2022-24087.
As CVE-2022-24087 carries the same risks as CVE-2022-24086 - which has been exploited in the wild - Adobe has assigned both the vulnerabilities the highest patch priority rating. It recommends that users and admins install the updates within 72 hours of their release.
In the initial update, Adobe said that CVE-2022-24086 was sparsely exploited in the wild, and the company says that it is unaware of any active exploitation of CVE-2022-24087 in the wild.
Affected Versions
The versions of Adobe Commerce and Magento Open Source affected by the vulnerabilities are:
- Adobe Commerce - 2.4.3-p1 and earlier;
- Adobe Commerce - 2.3.7-p2 and earlier;
- Magento Open Source - 2.4.3-p1 and earlier;
- Magento Open Source - 2.3.7-p2.
Versions 2.3.0 to 2.3.3 of both apps are not affected, Adobe says.
Patches
Adobe recommends that customers apply both patches in the following order:
- MDVA-43395 patch for CVE-2022-24086;
- MDVA-43443 patch for CVE-2022-24087.
Here are the specific patches for the respective Adobe Commerce and Magento Open Source versions:
2.4.3 - 2.4.3-p1
Adobe Commerce
Magento Open Source
2.3.4-p2 - 2.4.2-p2
Adobe Commerce
Magento Open Source
2.3.3-p1 - 2.3.4
Adobe Commerce
Magento Open Source
Blaklis tells ISMG that Adobe has done its best to contact its Commerce customers for now, and people running it should be aware of the flaw, but that is not the case for open-source users. In what he calls a "wild guess," Blaklis says users of the open-source versions will be the most affected.
Outdated Magento Breach
In early February, Sansec's researchers detected a data breach at more than 500 stores using the Magento 1 e-commerce platform. The platform had officially reached its end of support from Adobe on June 30, 2020 (see: Massive Breach Hits 500 E-Commerce Sites).
The attackers used a combination of an SQL injection and PHP Object Injection attack to gain control of the Magento stores, the researchers said. They also found that the attacker had left no less than 19 backdoors on the system.
In September 2020, Sanguine Security researchers warned about a similar issue. At the time, 2,000 sites that used the 12-year-old Magento 1 e-commerce platform had been targeted by JavaScript skimmers designed to steal payment card data during the online checkout process (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).
A Shodan search by ISMG shows that more than 20,000 sites still rely on the 12-year-old version of Magento 1.
Need for Behavioral-Based Detection
Kunal Modasiya, senior director of product management at PerimeterX, tells ISMG that given the continued issues with outdated versions of the Magento platform, motivated adversaries and threat attackers are coming up with exploits that are hard for traditional rule-based detection systems to detect. As a result, he says, it is critical that e-commerce companies get real-time alert notifications for vulnerabilities in a website's JavaScript code, including third-party code, and for any suspicious JavaScript activity.
"They should employ behavioral-based detection solutions that quickly isolate any third-party library changes that may cause the leak of payment card data and quickly mitigate the risk by removing or updating the third-party library that includes fixes for vulnerabilities, which will help prevent further PCI data leaks," Modasiya says.