In February, a critical vulnerability (CVE-2022-24086) was found in Magento open source and Commerce. The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.
The vulnerability affected the following versions of the Magento products:
PRODUCT | VERSION | PLATFORM |
Adobe Commerce | 2.4.3-p1 and earlier versions | All |
2.3.7-p2 and earlier versions | All | |
Magento Open Source | 2.4.3-p1 and earlier versions | All |
2.3.7-p2 and earlier versions | All |
Adobe Commerce 2.3.3 and lower were safe from the vulnerability.
But nearly 500 online stores running on the Magento 1 eCommerce platform were compromised. The attack used the SQL and PHP object injection to hack the store. Adobe has released the patches for the Magento 2.
However, Magento 1 platform does not have any support, it has to rely on third-party patches to defend against the vulnerability.
What’s the Update?
Despite the patches and update, the security experts are discovering that hackers are still using the vulnerability to take over the Magento stores.
The researchers have found out that there are primarily three attack variants exploiting CVE-2022-24086 to inject malicious code to websites. All the attacks analyzed by the security firm have been interactive, possibly because the Magento checkout flow is very hard to automate.
First Attack: It used the malicious code as the first and last name to create the account on the Magento store. The injected code processes a command to download a linux executable, which sends the command to a remote server. The remote server gets the fulls access to the database and PHP processes.
Second Attack: In the second attack variant, the hackers injects a PHP backdoor (“health_check.php”) by including template code in the VAT field of the placed order. A new file is created (“pub/media/health_check.php”) to accept commands via POST requests.
Third Attack: The third attack variation uses template code that executes to replace “generated/code/Magento/Framework/App/FrontController/Interceptor.php” with a malicious, backdoored version.
What’s the Solution?
For now, the only solution is to follow Magento security best practices and keep the software updated. Out of the box, you can use keyword monitoring. So in case the linux file from the first attack gets downloaded to your store, you will be notified.