CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Magento CMS Could Allow for Remote Code Execution (APSB20-59)

MS-ISAC ADVISORY NUMBER:

2020-142

DATE(S) ISSUED:

10/16/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Magento CMS, the most severe of which could allow for arbitrary code execution. Magento is a web-based e-commerce application written in PHP. Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Magento Open Source versions prior to 2.3.6 and 2.4.1
  • Magento Commerce versions prior to 2.3.6 and 2.4.1

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Magento CMS, the most severe of which could allow for arbitrary code execution. The vulnerabilities are as follows:

  • An File Upload Allow List Bypass vulnerability could allow for Arbitrary Code Execution. (CVE-2020-24407)
  • An SQL Injection vulnerability that could allow for Arbitrary read or write access. (CVE-2020-24400)
  • Multiple Improper Authorization vulnerabilities that could allow for Unauthorized modification of customer list. (CVE-2020-24402, CVE-2020-24404, CVE-2020-24405, CVE-2020-24403)
  • An Insufficient Invalidation of User Session vulnerability could allow for Unauthorized access to restricted resources. (CVE-2020-24401)
  • An Information Disclosure vulnerability could allow for Disclosure of document root path. (CVE-2020-24406)
  • A Cross-Site Scripting vulnerability could allow for Arbitrary JavaScript execution in the browser. (CVE-2020-24408)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Magento to affected systems immediately after appropriate testing.
  • Apply the Principle of Least Privilege to all systems and services.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Related Resources



Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0

Pencil White paper 26 Oct 2020