Web admins urged to update with Magecart cybercrime groups likely circling
UPDATED Adobe has patched multiple serious flaws in Magento, its popular e-commerce platform, to guard against potential arbitrary code execution attacks.
A security bulletin issued by the software giant on Tuesday (January 28) provided fixes for six vulnerabilities – three of them critical – for Magento’s Commerce, Open Source, Enterprise, and Community editions.
Applying the patches is important because payment-card skimming Magecart groups may well seek to exploit any systems that remain unpatched in the coming weeks and months.
Attackers could potentially execute malicious code by targeting two critical flaws – related to security bypass (CVE-2020-3718) and deserialization of untrusted data (CVE-2020-3716).
Magecart attackers could also leverage SQL injection exploits to capitalize on the third critical bug (CVE-2020-3719) and gain read access to databases containing payment card information.
Magecart groups, which abuse flaws in third-party e-commerce platforms to inject malicious JavaScript on checkout pages, can also steal payment card data by mounting cross-site scripting (XSS) attacks.
XSS flaws accounted for two of three patched vulnerabilities (CVE-2020-3715 and CVE-2020-3758) classed by Adobe as “important”, with the remaining flaw (CVE-2020-3717) exploitable through path traversal attacks.
Website admins are advised to promptly update Magento Commerce builds to version 2.3.4 or 2.2.11, Open Source editions to 2.3.4 or 2.2.11, Enterprise Editions to 1.14.4.4, and Community Editions to 1.9.4.4.
Adobe has assigned all six patches a “priority 2” rating, which means imminent attacks are not expected and that administrators should apply the updates within 30 days.
Adobe thanked four researchers – Ernesto Martin, Blaklis, Luke Rodgers, and Djordje Marjanovic – for discovering and reporting the vulnerabilities.
Magento powers e-commerce checkouts on thousands of websites, including Nike, Cisco, and Unipart.
A researcher who discovered three of the vulnerabilities, Blaklis, told The Daily Swig that an attacker would need to be granted “some administrative access – mainly email templates, pages, and product creation – to execute arbitrary commands on the underlying system.”
“Considering it's authenticated flaws, it's important but not urgent to apply the patches,” they said.
Blaklis added that the vulnerabilities were responsibly disclosed to Magento nearly three months ago.
“While the Magento team can easily be contacted through its HackerOne program, the quarterly schedule for updates makes it a bit long to wait for patches," they said.
The Daily Swig has contacted Magento to find out more.
This article has been updated with comments from the researcher known as Blaklis.