WARNING: MULTIPLE CRITICAL AND HIGH VULNERABILITIES IN ADOBE COMMERCE, ADOBE MAGENTO AND ADOBE COMMERCE WEBHOOKS PLUGIN CAN BE EXPLOITED TO EXECUTE CODE
Reference:
Advisory #2024-87
Version:
1.0
Affected software:
Adobe Commerce, Magento Open Source, Adobe Commerce Webhooks Plugin
Type:
Remote code execution
CVE/CVSS:
CVE-2024-34111: 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)
CVE-2024-34102: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-34108: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-34109: 8.0 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-34110: 8.0 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-34105: 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
Datum:
13/06/2024
Sources
https://helpx.adobe.com/security/products/magento/apsb24-40.html
Risks
On 11 June 2024, Adobe published a security advisory about 10 vulnerabilities affecting Adobe Commerce, Magento Open Source and Adobe Commerce Webhooks Plugin. Among these 10 vulnerabilities, 6 can lead to arbitrary code execution.
The code execution vulnerabilities are CVE-2024-34111, CVE-2024-34102, CVE-2024-34108, CVE-2024-34109, CVE-2024-34110 and CVE-2024-34105.
Adobe Commerce, Magento Open Source and Adobe Commerce Webhooks plugin belong to an ecosystem servicing ecommerce platforms. The technology is widely used throughout the world. Ecommerce technology have been targeted by financially-motivated threat actors in the past to spread malware, compromise infrastructure, and steal information such as credit card and personal information. However, this exact Adobe technology has historically not been targeted according to Adobe.
When chained with CVE-2024-2961, CVE-2024-34102 can result in Remote Code Execution (RCE). Since several security researchers published exploit code, an uptick in exploitation attempts is to be expected.
Exploitation of these vulnerabilities have mostly a high impact on confidentiality, integrity and availability. The exact impact on the CIA triad depends on each vulnerability.
Description
The following vulnerability does not require authentication in order to be exploited:
CVE-2024-34102 is an improper restriction of XML external entity reference (XXE) vulnerability. It is marked as critical because a remote attacker does not need to be authenticated, nor have admin privileges, to exploit this vulnerability. Successful exploitation could lead to arbitrary code execution.
The following vulnerabilities require authentication with admin privileges in order to be exploited:
- CVE-2024-34111 is a server-side request forgery vulnerability. In order to be exploited, a successful remote attacker needs to have valid credentials with admin privileges. Successful exploitation could lead to arbitrary code execution.
- CVE-2024-34108 and CVE-2024-34109 are both improper input validation vulnerabilities in Adobe Commerce Webhooks Plugin. In order to be exploited, a successful remote attacker needs to have valid credentials with admin privileges. Successful exploitation could lead to arbitrary code execution.
- CVE-2024-34110 is an unrestricted upload of file with dangerous type vulnerability in Adobe Commerce Webhooks Plugin. In order to be exploited, a successful remote attacker needs to have valid credentials with admin privileges. Successful exploitation could lead to arbitrary code execution.
- CVE-2024-34105 is a cross-site scripting (stored XSS) vulnerability. In order to be exploited, a successful remote attacker needs to have valid credentials with admin privileges. Successful exploitation could lead to arbitrary code execution.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices, after thorough testing.
Adobe reported that these vulnerabilities are fixed with software updates:
- For Adobe Commerce: please update to versions 2.4.7-p1 for 2.4.7 and earlier, 2.4.6-p6 for 2.4.6-p5 and earlier, 2.4.5-p8 for 2.4.5-p7 and earlier, 2.4.4-p9 for 2.4.4-p8 and earlier, 2.4.3-ext-8 for 2.4.3-ext-7 and earlier*, 2.4.2-ext-8 for 2.4.2-ext-7 and earlier*, 2.4.1-ext-8 for 2.4.1-ext-7 and earlier*, 2.4.0-ext-8 for 2.4.0-ext-7 and earlier*, 2.3.7-p4-ext-8 for 2.3.7-p4-ext-7 and earlier*.
Please note that the versions marked with the asterisk (*) are only applicable to Adobe customers participating in the Extended Support Program. - For Magento Open Source: please update to versions 2.4.7-p1 for 2.4.7 and earlier, 2.4.6-p6 for 2.4.6-p5 and earlier, 2.4.5-p8 for 2.4.5-p7 and earlier, 2.4.4-p9 for 2.4.4-p8 and earlier
- For Adobe Commerce Webhooks Plugin: please update to version 1.5.0
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://helpx.adobe.com/security/products/magento/apsb24-40.html