Multiple Vulnerabilities in Magento CMS Could Allow for Remote Code Execution (APSB20-59)
ITS ADVISORY NUMBER:
2020-142
DATE(S) ISSUED:
Monday, October 19, 2020
SUBJECT:
Multiple Vulnerabilities in Magento CMS Could Allow for Remote Code Execution (APSB20-59)
OVERVIEW:
Multiple vulnerabilities have been discovered in Magento CMS, the most severe of which could allow for arbitrary code execution. Magento is a web-based e-commerce application written in PHP. Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
- Magento Open Source versions prior to 2.3.6 and 2.4.1
- Magento Commerce versions prior to 2.3.6 and 2.4.1
RISK:
Government:
Large and medium government entities: High
Small government entities: Medium
Business:
Large and medium business entities: High
Small business entities: Medium
Home Users: Low
DESCRIPTION:
Multiple vulnerabilities have been discovered in Magento CMS, the most severe of which could allow for arbitrary code execution. The vulnerabilities are as follows:
-
A File Upload Allow List Bypass vulnerability could allow for Arbitrary Code Execution. (CVE-2020-24407)
-
An SQL Injection vulnerability that could allow for Arbitrary read or write access. (CVE-2020-24400)
-
Multiple Improper Authorization vulnerabilities that could allow for Unauthorized modification of customer list. (CVE-2020-24402, CVE-2020-24404, CVE-2020-24405, CVE-2020-24403)
-
An Insufficient Invalidation of User Session vulnerability could allow for Unauthorized access to restricted resources. (CVE-2020-24401)
-
An Information Disclosure vulnerability could allow for Disclosure of document root path. (CVE-2020-24406)
-
A Cross-Site Scripting vulnerability could allow for Arbitrary JavaScript execution in the browser. (CVE-2020-24408)
Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
ACTIONS:
- Verify no unauthorized system modifications have occurred on system before applying patch.
- After appropriate testing, immediately apply updates provided Magento to vulnerable systems.
- Apply the Principle of Least Privilege to all systems and services.
- Monitor intrusion detection systems for any signs of anomalous activity.
- Unless required, limit external network access to affected products.
REFERENCES:
Adobe:
https://helpx.adobe.com/security/products/magento/apsb20-59.html
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24402
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24403
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24401
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24408