On Friday (29th March 2019), an attack code was published that showed the vulnerability in the Magento eCommerce platform, all but assuring that it will be used to plant payment card skimmers on sites that have yet to install a recently released patch.
PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers control the admin panel to download user names and password hashes and then crack the hashes. As per their choice, they will install the backdoors or skimming code. Recently Web Security researcher said that the company has reverse-engineered an official patch that released on Tuesday and it has successfully created a working proof of concept exploit.
“There is no doubt threat actors are either actively reversing the patch or waiting for a proof of concept to exploit this flaw at scale,” Jérôme Segura, lead malware intelligence analyst at Malwarebytes, told Ars on Thursday. “When it comes to hacked Magento websites, Web skimmers are the most common infection type we see because of their high return on investment. As a result, we can expect another wave of compromises in light of this newly found critical vulnerability.”
A proof-of-concept exploit was published on Friday which consists of Comments in the code that says “can easily be modified to obtain other stuff from the [database], for instance, admin/user password hashes.” It also says the underlying vulnerability has resided in Magento since version 1. So it means all Magento sites that haven’t installed the patch are susceptible and it was also published on Friday to provide additional exploit details along with the disclosure timeline.
Segura wrote in an email Friday, “As predicted, we are going to see sites getting hacked pretty soon,”
Sucuri researcher Marc-Alexandre Montpas concurred with that assessment. In Thursday’s blog post, he wrote:
SQL injections allow an attacker to control site arguments to inject their own commands to SQL database (MSSQL, Oracle, MySQL, MariaDB), and this way they can retrieve sensitive data from an affected site’s database including usernames and password hashes.
These kind of unauthenticated attacks are serious as they can manipulate any data and makes it easier for hackers to spread attacks against vulnerable websites. A vulnerability has become more dangerous due to active installs, ease of exploitation, and a number of successful attacks.
From more than three dozen security bugs, PRODSECBUG-2198 is one that Magento developers have disclosed and fixed on Tuesday, and below versions may be affected by it:
- Magento Commerce < 220.127.116.11
- Magento Open Source < 18.104.22.168
- Magento < 2.1.17
- Magento < 2.2.8
- Magento < 2.3.1
Be quick in protecting your site from this Vulnerability by installing a stand-alone patch. There are other flaws too but that requires a hacker to be authenticated so they are not considered as severe.
Magento officials have said, “As the majority of exploits tend to target software installations that are not up-to-date with the latest security updates, we always strongly recommend that users install security updates as soon as they are available.”
You need to check your site if it is been targeted in 2198 exploits by checking the access_log file for several hits to the below-mentioned path:
A legitimate request is indicated to a small number of hits to that particular path, but if you come across the number of hits from the same IP address in a few minutes that you should suspect it.
Upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. to protect your site against all vulnerabilities.