March 30, 2019 at
Magento has 300 000 merchants using its e-commerce platform, and thanks to a new bug they are all at risk. Magento has released a security patch and has strongly recommended that anyone using their platform upgrade as soon as possible.
SQL Injection bug potentially devastating
The bug, called PRODSECBUG-2198, is an SQL injection vulnerability that allows attackers to exploit a system without the need for authentication. Theoretically, this flaw would allow any hacker to take administrative control over administrative accounts. They would first need to obtain usernames and crack the password hashes though. Once inside, they would most likely install backdoors or card skimming software, as has been standard in attacks on these platforms.
This potentially devastating bug has been tested by a security researcher at Sucuri. Sucuri is a security firm that helps companies with all aspects of their online security. The researcher used the method to reverse-engineer a recent official patch. He then used this to create a working, proof-of-concept exploit.
Multiple vulnerabilities in the latest patch
With the PRODSECBUG-2198 bug being such high priority, a hotfix has been made available by Magento. The company, that was purchased by Adobe in 2018, has also released a general patch that includes fixes for 37 other bugs. OF those 37, four have been scored a 9 or higher on the Common Vulnerability Scoring System (CVSS). According to CVSS, this means they are critical and the patch containing them should be installed without delay.
Of course, the SQL injection without the need for authentication bug is still the top priority. In fact, Sucuri, the security firm that tested the SQL exploit said in a blog post that everyone should upgrade immediately if they are using Magento. They added that those that did not would soon find themselves at the mercy of attackers who would have almost total control over their systems. They even described the bug as an “easy way” for a Magento based website to fall under an attackers control.
Magento popular hacker target
This is not the first time hackers have focused on Magento. The company’s system is extremely popular, with over 300 000 merchants relying on it to run the e-commerce side of their businesses. In the past, Magento has been targeted multiple times, and over the last year card skimming has become more of a problem. Rogue hacker groups are injecting computers with software that captures their credit card details.
The biggest problem with SQL Injection bugs, particularly ones that do not require authentication is one of scale. The exploit can be automated, allowing attackers to gather a substantial number of usernames and passwords. This would give the attacker access, which could have been used with other exploits and vulnerabilities to gain privileges. The exploits that worked in conjunction with the PRODSECBUG-2198 have been patched as well, meaning that multiple avenues of ingress have been blocked off.
The security research firm recommends updating to the newest Magento Commerce and Magento Open Source versions. These are 2.3.1, 2.2.8 and 2.1.17 respectively. Which version you would update to would depend on the branch you are using. However, failing a full install, Sucuri does recommend stopping the problem at its source by installing the hotfix for the SQL Injection exploit manually.
They added that site administrators should pay attention to their access logs for hits to the /catalog/product/frontend_action_synchronize path. While some occasional traffic to this path is fine, it can be an indicator of an attack. A large number of requests from a single IP could be someone who is trying to use PRODSECBUG-2198.