CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Magento CMS Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2019-036

DATE(S) ISSUED:

04/01/2019

OVERVIEW:

Multiple vulnerabilities have been identified in Magento CMS, the most severe of which could allow for remote code execution. Magento is a web-based e-commerce application written in PHP. Successful exploitation of the most severe of these vulnerabilities could result in remote code execution.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Magento Open Source versions prior to 2.3.1
  • Magento Commerce versions prior to 2.3.1

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been identified in Magento CMS, the most severe of which could allow for remote code execution. Details of the vulnerabilities are as follows:

  • An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
  • An authenticated user with administrative privileges can execute arbitrary code through email templates.
  • An authenticated user can embed malicious code through a stored cross-site scripting vulnerability or an SQL injection vulnerability in the Catalog section by manipulating attribute_code.
  • An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.
  • An authenticated user with privileges to configure store settings can execute arbitrary code execution through server-side request forgery.
  • An authenticated user with privileges to configure email templates can execute arbitrary code via a PHP archive deserialization vulnerability.
  • An authenticated userwith administrative privileges can upload PHP files to access sensitive data because NGINX configuration allows PHP files to be executed in any directory.
  • An authenticated user with administrative privileges can embed arbitrary code when editing the Newsletter section of the admin panel.
  • An authenticated user with privileges to the Customer Segments section of the Admin can use a stored cross site scripting vulnerability to embed malicious code.
  • An authenticated user can create a B2B account without administrative approval due to an authentication bypass vulnerability.
  • An authenticated customer can control other customer's requisition lists by using a web API endpoint to send a request to the server. (This overrides the customer_id parameter.)
  • An authenticated user with privileges to configure email templatescan execute arbitrary SQL queries.
  • An authenticated user with privileges to the Admin requisition list ID can use a cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.
  • An attacker can delete a product attribute within the context of authenticated administrator's session through cross-site request forgery.
  • An attacker can delete the site map within the context of an authenticated administrator's session through cross-site request forgery.
  • An attacker can delete all synonyms groups within the context of an authenticated administrator's session through cross-site request forgery.
  • An authenticated user with administrative privileges can embed arbitrary code via a stored cross site scripting vulnerability in the Terms & Conditions with Checkbox Text field in the admin panel.
  • An authenticated user with privileges to edit the Admin notification section can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to product name fields on the Admin can use stored cros-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the B2B packages through an unsanitized URL parameter can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the Admin Stores > Attributes > Product configuration area can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the Checkbox Custom Option Value field on the Admin can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to B2B packages through an unsanitized URL parameter can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with administrative privileges can embed malicious code in the Attribute Label for Media Attributes section in the admin panel.
  • An authenticated user with administrative privileges can manipulate the notification feed, which allows an attacker to use a cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the Admin Products > Catalog configuration section can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the Admin product configurations section can use a stored cross-site scripting vulnerability to embed malicious code.
  • An attacker can delete the content of wyswig directory within the context of authenticated administrator's session via cross-site request forgery.
  • Send to a friend page can be used for spamming due to missing CAPTCHA.
  • Magento 2.x default configuration allows public access to custom PHP settings.
  • An authenticated user canview Personally identifiable details of another user via exploiting an Insecure Direct Object References vulnerability.
  • Spam using share a wishlist functionality.
  • Exception error reports capture administrative credentials in clear text format.
  • An authenticated user can enumerate and access unauthorized wishlist via insecure direct object reference in the application.
  • An authenticated user can add and execute a malicious script on an HTML page through a vulnerable CLI command due to lack of data validation.

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution. This may result in sensitive data leakage such as admin sessions and password sessions. This may also be used to obtain access to an admin dashboard and customer personal and financial data.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Magento to affected systems, immediately after appropriate testing.
  • Apply the Principle of Least Privilege to all systems and services.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0

Pencil Blog post 20 May 2019
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0