[German]Small addendum from last week. It has been known since the middle of the month that the vulnerability CVE-2024-34102 exists in Adobe Commerce and Magento online stores. Together with a Linux vulnerability, thousands of stores can be taken over by attackers. A fix has been available for a few days, but the majority of online stores are still running unpatched versions.
Advertising
Vulnerability CVE-2024-34102
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier versions are affected by the vulnerability CVE-2024-34102. An XML External Entity Reference ("XXE") could allow the execution of arbitrary code. An attacker could exploit this vulnerability by sending a manipulated XML document that refers to external entities. No user interaction is required to exploit this issue. A CVS 3.1 score of 9.8 has now been assigned – the vulnerability is therefore critical.
CosmicSting (CVE-2024-34102) is the worst flaw to appear in Magento and Adobe Commerce in two years. It allows anyone to read private files (e.g. those containing passwords) without authorization. However, when combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution. This killer bug gives attackers full control, and the attack can be automated, leading to mass hacks on a global scale.
There is an update
Adobe has already published the security warning APSB24-40 on June 11, 2024. Adobe has released a security update for Adobe Commerce, Magento Open Source and the Adobe Commerce Webhooks plugin. This update fixes the above-mentioned vulnerability, which is classified as critical, as well as other important vulnerabilities. Details on the updated versions can be found in the Adobe document with the security warning.
Numerous unpatched online stores at risk
However, the update frequency of online stores (Magento etc.) set up with Adobe products is probably miserable. The Sansec Forensics team sounded the alarm as early as June 18, 2024. A good 75% of e-commerce stores operated with Adobe software are at risk of CosmicSting attacks. One week after the release of a critical security fix, only a quarter of all Adobe Commerce and Magento stores have been patched.
As of June 23, 2024, Sergey Temnikov (aka spacewasp), who discovered the original problem, informed the Sansec team that third parties can get API admin access without needing a vulnerable Linux version (with the iconv problem). This makes CosmicSting even more critical. Temnikov shared his findings in the article How I Was Paid $9,000 for a Critical Vulnerability in Adobe Commerce and also suggested an improved contingency solution to mitigate the bug.
Advertising
Security researchers point out in the above tweet that they have found more than 54,200 services that are vulnerable to attack via the CosmicSting vulnerability. Millions of online stores based on the Adobe Commerce and Magento platforms are at risk.
Advertising
