The Magento content management system used by thousands of online shops has received fixes for several serious vulnerabilities, including an unauthenticated SQL injection flaw that’s likely to soon become a target for attackers.
Magento, an Adobe-owned company since 2018, released security patches for 37 security issues affecting both the commercial and open-source versions of its platform. Exploitation of the flaws can enable remote code execution, SQL injection, cross-site scripting, privilege escalation, information disclosure and spamming.
Four vulnerabilities have a score higher than 9 on the Common Vulnerability Scoring System (CVSS) scale, which means they’re critical. Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication. “The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their e-commerce websites,” researchers from Web security firm Sucuri said in a blog post.
The researchers have already reverse-engineered the patch and created a working proof-of-concept exploit for internal testing. They haven’t released it publicly yet, but it’s very likely attackers will soon figure out on their own how to exploit the flaw.
Magento a popular hacker target
Due to its popularity and the sensitive customer data it processes, the Magento platform is an attractive target for hackers and has been targeted in widespread attacks many times in the past. The number of attacks against online shops, in general, has increased over the past year, with some groups of hackers specializing in web skimming — injecting rogue scripts on computers to capture credit card details.
SQL injection vulnerabilities allow injecting data into or reading information from databases. Even if this particular flaw can’t be used to infect a website directly, it can potentially give attackers access to accounts on a site. That access can then be used to exploit one of the other privilege escalation or code execution flaws that were patched in this release and which require authentication.
“Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated — making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” the Sucuri researchers warned. “The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”
Upgrade Magento now
Magento Commerce and Magento Open Source users are advised to upgrade to the newly released versions 2.3.1, 2.2.8 and 2.1.17, depending on the branch they’re using. To quickly protect their sites without deploying the full update, users also have the option to only install the patch for the SQL injection flaw (PRODSECBUG-2198) manually. However, the full update should not be delayed for very long.
According to Sucuri, site administrators should also monitor their access logs for hits to the /catalog/product/frontend_action_synchronize path. Occasional requests to that path might be legitimate, but a large number of them coming from the same IP address in a short interval should be considered suspicious and could be an attempt to exploit this vulnerability.