A recent Sansec report has revealed that the CosmicSting vulnerability, which affects 75% of Adobe Commerce and Magento stores, poses a significant security threat. Despite the release of a critical security patch, only a quarter of affected stores have implemented the update, leaving the majority vulnerable to potential attacks.
CosmicSting overview
Known as CVE-2024-34102, the CosmicSting vulnerability is considered the most severe bug to impact Magento and Adobe Commerce stores in the past two years. This vulnerability allows unauthorized access to private files, such as those containing passwords. When combined with the recent iconv bug in Linux, it can escalate to remote code execution, granting attackers complete control over affected systems. Sansec, which verified the exploit, warns that it could lead to widespread automated attacks on a global scale.
CosmicSting was discovered by a researcher known as spacewasp and has received a CVSS severity score of 9.8 out of 10, reflecting its critical nature. Adobe issued a patch for the vulnerability last week but did not share specific details about the exploit. Sansec managed to reproduce the attack using the patch code and believes that cybercriminals are already working on exploiting the vulnerability.
The CosmicSting attack is one of only four similarly critical vulnerabilities in Magento's history, following the Shoplift attack in 2015, the Ambionics attack in 2019, and the Trojan Order attack in 2022. Each of these previous vulnerabilities led to tens of thousands of stores being compromised within hours of their discovery. Given this history, it is crucial for store owners to update their systems promptly to prevent potential breaches.
Security recommendations
Sansec has found that only 25% of stores have upgraded since the release of the security patch. One of the challenges hindering the upgrade process is the potential for the security release to disrupt existing checkout functionality. The patch includes the backported PCI-imposed Content Security Policy (CSP) and Subresource Integrity (SRI) implementation from version 2.4.7, which could interfere with third-party JavaScript and inline scripts in the checkout process.
To mitigate these issues, Sansec recommends switching to ‘Report-Only' mode before upgrading. This allows the checkout process to continue functioning while providing time to address any incompatible modules before the new PCI requirements take effect in April 2025. Additionally, enabling CSP monitoring can help detect potential security issues. Sansec offers a free CSP monitoring service that can be set up quickly.
For those unable to upgrade immediately, Sansec suggests two emergency measures to reduce risk:
- Ensure that Linux server versions are up to date, which will mitigate some of the risks associated with the vulnerability.
- Implement an emergency fix in the app/bootstrap.php file to block most CosmicSting attacks. The provided code snippet checks for specific attack indicators and returns a 503 Service Temporarily Unavailable response if detected.
if (strpos(file_get_contents('php://input'), 'dataIsURL') !== false) {
header('HTTP/1.1 503 Service Temporarily Unavailable');
header('Status: 503 Service Temporarily Unavailable');
exit;
}This fix is provided without warranty and should be considered a temporary measure until a full upgrade can be performed.
Given the severity of the CosmicSting vulnerability, Adobe Commerce and Magento store owners must apply the necessary security updates promptly.
Hacker Leaks Claimed Apple Internal Software Development Tools
Leave a Reply