by John E Dunn
Cybercriminals are reportedly exploiting a critical flaw in the Magento e-commerce platform only days after it was made public by the researchers who discovered it.
Scoring a 9.0 on CVSS, the bug doesn’t yet have a CVE number to identify it but Magento refers to its patching list as PRODSECBUG-2198 (the number being the important bit).
It’s an SQL injection flaw which can be exploited with no authentication or privileges, which is why for admins tending sites using Magento it’s a stop what you’re doing and patch this now situation.
That’s not difficult as the Adobe-owned Magento patched this among several dozen other security flaws as part of a security update published last week. The affected versions are:
Version 1 before 2.1.17
Version 2.2 before 2.8,
Version 2.3 before 3.1
Magento Open Source before 9.4.1
Magento Commerce before 14.4.1
The patch for 2198 can be installed on its own but, ideally, sites should install the whole update. From Magento’s announcement:
To protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.
Among a total of 37 flaws covering Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS), there’s also a serious (CVSS 9.8) Remote Code Execution (RCE) flaw identified as PRODSECBUG-2192 deserving careful attention.
Devil take the hindmost
What of the attacks on Magento sites? This part of the story began on 25 March when little-known French Pentesting company Ambionics Security (which also revealed so-called Carpe Diem bug in Apache this week) tweeted the following:
Tomorrow, #Magento releases a patch for an unauthenticated #SQLi and #RCE we reported a few months ago. We’ll describe the vulnerabilities, and how they can be exploited, in our next blog post. Patch your systems ! pic.twitter.com/ …
Author: John E Dunn