E-commerce: Security experts observe many attacks on Adobe Commerce
There currently appear to be numerous attacks on online stores that use Adobe Commerce and Magento. Security experts from Sansec are warning of this.
The vulnerability CVE-2024-34102 compromises the e-commerce platform Adobe Commerce and Magento.
(Image: r.classen/Shutterstock.com)
There are currently numerous attacks on online stores that use the e-commerce platform Adobe Commerce (formerly Magento). Security experts from Sansec warn of this.
CosmicSting (CVE-2024-34102) was discovered a month ago. According to Sansec, three to five online stores are currently being attacked every hour, including well-known international brands. Sansec assumes that the number of compromised stores will continue to rise. The experts also assume that this vulnerability affects 75 percent of Adobe's e-commerce stores.
API abuse
CosmicSting allows attackers to access arbitrary files and thus steal Magento's secret encryption key. This key can be used to create JSON Web Tokens (JWT) that allow full administrative API access.
According to Sansec, the Magento REST API offers various endpoints that attackers can abuse. For example, fraudulent orders could be placed via POST /V1/orders and customers' personal information could be stolen via GET /V1/customers/{id}. However, the /V1/cmsBlock endpoints are particularly attractive to attackers.
Sansec has observed the following steps in the exploitation of this vulnerability on a large scale: CosmicSting is used to read the encryption_key from app/etc/env.php. An encryption key is used to generate a JWT. A list of existing CMS blocks is retrieved via GET /V1/cmsBlock/search. All CMS blocks are updated via PUT /V1/cmsBlock/{id} to insert malicious scripts at the end of each block.
Change encryption key as well
Sansec recommends urgently upgrading systems to the latest version or installing the official patch released by Adobe a few days ago. However, patching the CosmicSting vulnerability alone is not enough, as the stolen encryption key still allows attackers to generate web tokens. As the key of previously unpatched systems is most likely also compromised, it should be updated manually in app/etc/env.php, according to Adobe.
Sansec recommends audit logs that introduce changes to CMS blocks visible. Thanks to the logs, the activities of administrators and system accesses can be recorded. Among other things, security incidents can be traced retrospectively and abusive behavior can be detected.
(mack)
