Magento e-commerce sites urged to apply security update

Failure to patch a structured query language (SQL) injection vulnerability in the Adobe-owned Magento e-commerce platform could put hundreds of thousands of e-commerce sites at risk of card skimming attacks, security experts warn.

The vulnerability is among several patched by Magento earlier in March, but it is the only one that can be exploited without any form of privilege or authentication. It is unknown how many of Magento’s 300,000 customer sites are at risk.

Unlike the other recently patched vulnerabilities, it is easy to exploit because an attacker would not need to be authenticated on the site and have some level of privilege to be able to carry out a card skimming attack.

Unauthenticated attacks, are very serious because they can be automated, warns Marc-Alexandre Montpas, researcher at security firm Sucuri.

“[This makes] it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous,” he wrote in a blog post.

Like all SQL injection vulnerabilities, failure to patch provides attackers with an opportunity to inject their own commands to an SQL database to get sensitive data such as usernames and password hashes.

According to the Magento security advisory, this vulnerability affects sites using both the Open Source or Commercial version of the software. The affected versions are 2.1 prior to 2.1.17, 2.2prior to 2.2.8, and 2.3 prior to 2.3.1.

With the proliferation of attacks such as Magecart against businesses such as Ticketmaster, British Airways and Newegg, vulnerabilities like this in Magento can become a serious security risk very quickly, according to Satnam Narang, senior research engineer at security firm Tenable.

“Earlier this week, Magento published a security update to address over 30 vulnerabilities in Magento Open Source and Commerce. Most notable in this release is a patch for PRODSECBUG-2198, an unauthenticated SQL injection vulnerability that can lead to remote code execution,” he said.

“While there is no proof-of-concept code or exploit scripts available for this bug yet, due to the relative ease of exploitation, Magento site owners should upgrade to these patched versions as soon as possible. Magento e-commerce websites have been a popular target for cyber criminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed.”

Web security company High-Tech Bridge’s CEO, Ilia Kolochenko, said the Magento SQL injection vulnerability could lead to “one of the most disastrous” hacking campaigns.

“Magento is mostly used on trusted e-commerce websites and thus opens a door to a great wealth of sensitive PII [personally identifiable information], including valid credit cards details. The most dangerous flaw is SQL injection that can be exploited without any pre-conditions, being sufficient to steal the entire database and likely take control over the vulnerable website and web server. Sophisticated malware infections may plague gutted websites once all valuable data is stolen,” he said.

In addition to updating their systems urgently, Kolochenko said all Mageneto site operators should check the web server and all other available logs for indicators of compromise (IoCs).

“In case of a merest suspicion, detailed forensics should be conducted to determine whether the system was breached. These days, cyber criminals know how to cover their tracks, however, they may unwittingly suppress too much evidence and thereby expose their presence.”