CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
96.4%
A zero-day remote code-execution (RCE) bug in the Magento 2 and Adobe Commerce platforms has been actively exploited in the wild, Adobe said – prompting an emergency patch to roll out over the weekend.
The security vulnerability bug (CVE-2022-24086) is a critical affair, allowing pre-authentication RCE arising from improper input validation. It scores 9.8 out of 10 on the CVSS vulnerability-severity scale, but there is one mitigating factor: An attacker would need to have administrative privileges in order to be successful.
It affects versions 2.3.7-p2 and earlier and 2.4.3-p1 and earlier of both eCommerce platforms, according to the advisory. According to SanSec, which did a deeper dive into patching bug on Magento, the following should be taken into consideration:
SanSec noted on Monday that the bug came to light on Jan. 27, and that “this vulnerability has a similar severity as the Magento Shoplift vulnerability from 2015. At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploit publication.”
Researchers noted on Monday that patching need not be onerous:
> If you have the time, follow the instructions to patch your #magento 2 store with the guide from @avstudnitz.
>
>
> If you don’t have the time? Do the quick and dirty patch described here:<https://t.co/nZTlQGSBmp>
>
>
> It will take you less than 5 minutes, but you _have_ to patch today! <https://t.co/gkhT07QgbA> pic.twitter.com/7NqJMV3qzb
>
>
> — Willem_Wigman::tweets.phtml (@willemwigman) February 14, 2022
Indeed, updating is important for online merchants: The Magecart group famously targets unpatched versions of Magento in particular, looking for a way to plant credit-card skimmers on the checkout pages of eCommerce websites.
The threat actor, which is actually a consortium of many different card-harvesting subgroups, consistently evolves its skimmers to be more effective and efficient at evasion as well. For instance, in November, it added an extra browser process that uses the WebGL JavaScript API to check a user’s machine to ensure it’s not running on a virtual machine – thus evading researcher detection. And in January, an attack on Segway involved planting the skimmer by using a favicon that traditional security systems wouldn’t inspect.
For now, Adobe characterized the attacks as “very limited.” But card-skimmer activity is on the rise, and updates on the part of website owners seem sparse. Last week, SanSec reported a wave of skimming attacks targeting more than 500 sites, in particular those using outdated and unsupported Magento 1 implementations. Further data from Source Defense found as many as 50,000 to 100,000 sites that are using the end-of-life Magento 1.
“Magento and other eCommerce platforms have a long history of vulnerabilities…Running an eCommerce website on an outdated and unpatched platform is like driving your car without your seat belt on,” said Ron Bradley, vice president, Shared Assessments, via email. “The driver is thinking, the store is right around the corner, by the time I put on my seatbelt on, I’ll be there, plus I don’t want to wrinkle my clothes. Then comes the crash!”
Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.
www.sourcedefense.com/
github.com/joren485/Magento-Shoplift-SQLI
helpx.adobe.com/security/products/magento/apsb22-12.html
sansec.io/research/magento-2-cve-2022-24086
sansec.io/research/naturalfreshmall-mass-hack
support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12-
t.co/7NqJMV3qzb
t.co/gkhT07QgbA
t.co/nZTlQGSBmp
threatpost.com/magecart-campaign-10k-online-shoppers/159216/
threatpost.com/magecart-credit-card-skimmer-avoids-vms-to-fly-under-the-radar/175993/
threatpost.com/segway-magecart-attack-favicon/177971/
threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar
threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar
twitter.com/avstudnitz?ref_src=twsrc%5Etfw
twitter.com/hashtag/magento?src=hash&ref_src=twsrc%5Etfw
twitter.com/willemwigman/status/1493215723983970305?ref_src=twsrc%5Etfw
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
96.4%