Magento e-Commerce sites get security updates for severe code execution bugs
A critical vulnerability in Magento e-Commerce platform can allow for arbitrary code execution when exploited by threat actors. Adobe released security updates today to fix three security flaws affecting Magento Commerce and Magento Open Source.
Affected software includes versions 2.3.5-p1 and earlier of both Magento Commerce and Magento Open Source.
Store owners with impacted Magento sites should upgrade to Magneto 2.4.0 or upgrade to Magento Commerce or Magento Open Source 2.3.5-p2.
The first flaw is critical and tracked as CVE-2020-9689 in the national database of Common Vulnerabilities and Exposures. It can allow threat actors to run arbitrary computer code on the server when exploited. The security flaw is still listed as reserved in the CVE database and further details will become available when enough sites have been updated and secured.
The other two security bugs, CVE-2020-9690 and CVE-2020-9691, are listed as important. CVE-2020-9690 can allow signature verification bypass and CVE-2020-9691 can also allow arbitrary cod execution.
Currently, there are no known attacks that exploit any of these three security bugs.
Security Risks for Magento Sites
Magento stores that are not kept up to date with the latest security patches are vulnerable to malware and other attacks used by threat actors. Malicious computer JavaScript is used in attacks known as MageCart attacks to compromise a Magento websites and exfiltrate customer payment card numbers and sensitive data.
The Federal Bureau of Investigations (FBI) has warned governmental agencies and businesses to defend against MageCart attacks in and encourages e-Commerce site owners to keep their stores updated with security patches.
MageCart Attacks
MageCart attacks steal payment information from Magento e-Commerce sites. Threat actors inject malicious computer code and use it to steal payment card information from shoppers as they move through an online checkout. Neither the Magento website owner nor the customer is aware that the threat actors are stealing payment cards. MageCart malware is in use by a number of hacking organizations.
Hackers infect a website with MageCart malware by exploiting security bugs or by compromising third-party vendors or website integrations when they are not kept up to date.
Websites belonging to jewelry retailer Claire’s and its subsidiary Icing were attacked by MageCart malware from April 30 and June 13 of this year. Earlier this month, a North Korean advanced persistent threat group, called Lazarus Group, was found to be attacking major online retailers with MageCart. The attacks started approximately in May 2019.
Credit card skimming can impact any e-Commerce website as well as physical point-of-sale (POS) terminals at retail locations.
Credit card skimming isn’t the only kind of cyber attack that can impact an e-Commerce website. Threat actors can attack any server with the type of cyber attack known as a distributed denial of service, or DDoS attack. In this attack, attackers flood a server with many requests for information. The server begins to respond slowly or possibly becomes disabled because it was not designed to handle so much work. For example, the DDoS attack may use malicious computer code and a botnet and request web pages at the rate of thousands per second. This would result in a high server workload that would render a website slow and unable to serve webpages to human visitors.
Magento 1 Sunset
The first generation of Magento software, Magento 1.X, reached its end of life on June 30, 2020. All versions Magento prior to version 2.0 are sunsetted, meaning there will be no more security patches or upgrades. Although stores running Magento 1.X will continue to run for now, they can become incompatible with addons and third-party integrations.
