A vulnerability dubbed “CosmicSting” impacting Adobe Commerce and Magento web sites stays largely unpatched 9 days after the safety replace has been made obtainable, leaving thousands and thousands of web sites open to catastrophic assaults.
In line with Sansec’s stats, roughly three out of 4 web sites utilizing the impacted e-commerce platforms haven’t patched in opposition to CosmicSting, which places them susceptible to XML exterior entity injection (XXE) and distant code execution (RCE).
“CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years,” says Sansec.
“In itself, it allows anyone to read private files (such as those with passwords). However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution.”
The flaw, rated essential (CVSS rating: 9.8), impacts the next product variations:
- Adobe Commerce 2.4.7 and earlier, together with 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
- Adobe Commerce Prolonged Help 2.4.3-ext-7 and earlier, 2.4.2-ext-7 and earlier, 2.4.1-ext-7 and earlier, 2.4.0-ext-7 and earlier, 2.3.7-p4-ext-7 and earlier.
- Magento Open Supply 2.4.7 and earlier, together with 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
- Adobe Commerce Webhooks Plugin variations 1.2.0 to 1.4.0
Sansec says that regardless of Adobe omitting technical particulars on its bulletin to keep away from fueling energetic exploitation, efficient assault strategies may be simply inferred from the patch code, which its analysts used for reproducing the assault.
Based mostly on the severity and low complexity of deducing efficient assault paths, Sansec estimates that CosmicSting ticks all bins to change into one of the damaging assaults in e-commerce’s historical past, alongside “Shoplift“, “Ambionics“, and “Trojan Order.”
Apply repair or mitigation now
The seller launched fixes for CVE-2024-34102 with the next variations, which e-commerce platform directors are really helpful to use as quickly as potential:
- Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
- Adobe Commerce Prolonged Help 2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8
- Magento Open Supply 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
- Adobe Commerce Webhooks Plugin model 1.5.0
Sansec recommends that website admins swap to ‘Report-Solely’ mode earlier than upgrading to keep away from a difficulty which will break checkout performance.
For individuals who are unable to improve proper now, they’re suggested to take the next two measures:
First, verify should you’re Linux system is utilizing a glibc library susceptible to CVE-2024-2961 utilizing the beneath command, and improve as required. The command beneath will obtain a C supply code file, compile it, and run it in your laptop to detect should you’re susceptible.
curl -sO https://sansec.io/downloads/cve-2024-2961.c &&
gcc cve-2024-2961.c -o poc &&
./poc
Subsequent, you should add the next “emergency fix” code on ‘app/bootstrap.php’ to dam most CosmicSting assaults.
if (strpos(file_get_contents('php://enter'), 'dataIsURL') !== false) {
  header('HTTP/1.1 503 Service Quickly Unavailable');
  header('Standing: 503 Service Quickly Unavailable');
  exit;
}
BleepingComputer has not examined the repair and can’t assure its effectiveness or security, so use it at your individual danger.