In June, an exploit within the Magento code was discovered that allows RCE (remote code execution) to occur from the frontend of Magento Stores. According to Sansec’s stats, roughly three out of four websites using Magento Adobe Commerce have not sufficiently patched against CosmicSting, which puts them at risk of XML external entity injection (XXE) and remote code execution (RCE).
Did you know that “CosmicSting (CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years?” Sansec says the attack has been automated to scale to thousands of websites since July 1st.
Attack
Sansec discovered widespread abuse of this attack in the wild:
- CosmicSting is used to read the encryption key
- The encryption key generates a JSON Web Token, giving the hacker full administrative API access to various endpoints for attackers to abuse. Fraudulent orders may be placed via POST /V1/orders, and customer personal identifiable information can be stolen via GET /V1/customers/{id. The /V1/cmsBlock endpoints are even more appealing to attackers.
- A list of existing CMS blocks is obtained.
- All CMS blocks, including promotions, footers, etc., are updated to include malicious scripts at the bottom of each block.
Adobe, who owns Magento, has alerted the community to this threat and published patches. Unfortunately, Adobe has now informed us that even with the patches released in June, there is still a risk of remote code execution (RCE) attacks. Hopefully, you already have this information and have had it taken care of. If you have not, we will gladly assist you with applying this critical patch.
What You Need to Do
We advise clients to take immediate action based on their patch status:
- Option 1: If you haven’t applied any patches, apply the security update and hotfix and rotate your encryption keys.
- Option 2: If you applied the original patch and/or isolated patch, apply the new hotfix and rotate your encryption keys.
- Option 3: If you applied both patches, apply the new hotfix and rotate your encryption keys to ensure you’re still safe.
Additional Recommendations
Ensure that production and non-production environments help ensure your store is completely patched on all instances. Contact us to schedule this vital patch to keep your website secure.