Critical Flaws in Magento e-Commerce Platform Allow Code-Execution


Critical vulnerabilities in Adobe’s Magento e-commerce platform – a favorite target of the [Magecart cybergang](<https://threatpost.com/magecart-blue-bear-attack/151585/>) – could lead to arbitrary code execution. Adobe issued patches on Tuesday as part of its overall release of the [Magento 2.3.4 upgrade](<https://magento.com/blog/magento-news/magento-2.3.4-building-more-engaging-customer-experiences>), giving the fixes a “priority 2” rating. In [Adobe parlance](<https://helpx.adobe.com/security/severity-ratings.html>), priority 2 means that administrators should apply the updates within 30 days. Out of the flaws, Adobe [has fixed](<https://helpx.adobe.com/security/products/magento/apsb20-02.html>) three that it rates as critical in severity, meaning that successful exploits could “allow malicious native code to execute, potentially without a user being aware.” [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) Two of these could allow arbitrary code execution: CVE-2020-3716 is a deserialization of untrusted data flaw; and CVE-2020-3718 is a security bypass issue. The bug tracked as CVE-2020-3719 meanwhile would allow SQL injection if successfully exploited. [SQL injection attacks](<https://owasp.org/www-project-cheat-sheets/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html>) occur when a website developer doesn’t sanitize user-supplied data, which can lead to arbitrary reading and writing of data used within a web application. An attacker can take advantage by sending a malicious search query in the search box of a website. Adobe also patched a handful of bugs that it rates “important” in severity – [defined as](<https://helpx.adobe.com/security/severity-ratings.html>) issues that could allow “access to confidential data, or could compromise processing resources in a user’s computer.” These include CVE-2020-3715 and CVE-2020-3758, stored cross-site scripting (XSS) flaws that could allow sensitive information disclosure. XSS bugs are [a type of injection](<https://owasp.org/www-community/attacks/xss/>), in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. If the browser doesn’t validate the script and executes it, the script can access cookies, session tokens or other sensitive information retained by the browser. Meanwhile, the flaw tracked as CVE-2020-3717 is a path-traversal vulnerability that also could lead to sensitive information disclosure. ## The Magecart Connection The updates are likely of interest to Magecart groups, who will look to exploit the flaws ahead of administrators applying the patches. Magecart is an umbrella term encompassing several different threat groups who typically use the same modus operandi. They compromise websites by exploiting vulnerabilities in third-party e-commerce platforms, in order to inject card-skimming scripts on checkout pages. Magento is one of Magecart’s most-targeted platforms. SQL injection bugs for instance have been successfully used by Magecart groups in their efforts before. An attack last year against Magento 2 (mounted within 16 hours of the flaw being disclosed) [exploited an SQL injection bug](<https://sansec.io/labs/2019/05/10/magento-2-hacks/>) to steal administrative console credentials by dumping the contents of the admin_user database table. These credentials were then used to log into the Magento dashboard and add the Magecart malware to the targeted website. Cross-Site Scripting (XSS) flaws are another common attack vector against websites. Magecart [used a form of XSS](<https://www.thesslstore.com/blog/magecart-newegg-breach/>) attacks during [the Newegg breach](<https://threatpost.com/magecart-strikes-again-siphoning-payment-info-from-newegg/137576/>), for example. “Magecart is a simple bit of code that is sophisticatedly injected into websites to steal credit-card information and most of the time unknowing to the website organization,” said James McQuiggan, security awareness advocate at KnowBe4, via email. “It is important for organizations that use e-commerce websites with third-party connections or plugins to verify that they are up to date with all known patches and software. Organizations will want to restrict third-party vendors’ access to sensitive data, like credit-card data, names and home address. Having a robust third-party policy to restrict external access to sensitive information and only allowing verified code or scripts to be executed can greatly reduce exposure.” The versions impacted by the latest slew of bugs are Magento Commerce and Open Source, 2.2.10 and earlier versions and 2.3.3 and earlier versions; Magento Enterprise Edition and earlier versions; and Magento Community Edition, and earlier versions. Users should update to version 2.3.4 to address the problems. Adobe gave white-hats Ernesto Martin, Blaklis, Luke Rodgers and Djordje Marjanovic credit for the various bugs’ discovery.