A critical vulnerability in the Magento e-commerce platform is putting as many as 300,000 commerce sites at risk of card-skimming infections until they install a recently released patch.
PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take administrative control of administrator accounts, assuming the hackers can download user names and password hashes and crack the hashes.
From there, attackers could install the backdoors or skimming code of their choice. A researcher at Web security firm Sucuri said Thursday that company researchers reverse-engineered an official patch released Tuesday and successfully created a working proof of concept exploit.
“There is no doubt threat actors are either actively reversing the patch or waiting for a proof of concept to exploit this flaw at scale,” Jérôme Segura, lead malware intelligence analyst at Malwarebytes, told Ars. “When it comes to hacked Magento websites, Web skimmers are the most common infection type we see because of their high return on investment. As a result, we can expect another wave of compromises in light of this newly found critical vulnerability.”
Sucuri researcher Marc-Alexandre Montpas concurred with that assessment. In Thursday’s blog post, he wrote:
SQL Injections allow an attacker to manipulate site arguments to inject their own commands to an SQL database (Oracle, MySQL, MariaDB, MSSQL). Through this vulnerability, they can retrieve sensitive data from an affected site’s database, including usernames and password hashes.
Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious, because they can be automated—making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.
PRODSECBUG-2198 is one of more than three dozen security bugs Magento developers disclosed and fixed on Tuesday. It affects the following versions:
Sites that want to quickly protect themselves from this vulnerability only can install a stand-alone patch. Many of the other flaws also pose a threat, but because they generally require a hacker to be authenticated, they aren’t considered as severe. To be fully protected against all vulnerabilities, sites will have to upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8.
Montpas said Magento site administrators can check to see if their site has been targeted in 2198 exploits by checking the access_log file for multiple hits to the following path:
A small number of hits to that path may indicate a legitimate request, but more than a couple dozen hits from the same IP address in a few minutes should be considered suspicious.