Multiple Vulnerabilities in Magento CMS Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2019-036
Date(s) Issued: 
Tuesday, April 2, 2019
Subject: 
Multiple Vulnerabilities in Magento CMS Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been identified in Magento CMS, the most severe of which could allow for remote code execution. Magento is a web-based e-commerce application written in PHP. Successful exploitation of the most severe of these vulnerabilities could result in remote code execution.

Systems Affected: 
  • Magento Open Source versions prior to 2.3.1
  • Magento Commerce versions prior to 2.3.1
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Multiple vulnerabilities have been identified in Magento CMS, the most severe of which could allow for remote code execution. Details of the vulnerabilities are as follows:

  • An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
  • An authenticated user with administrative privileges can execute arbitrary code through email templates.
  • An authenticated user can embed malicious code through a stored cross-site scripting vulnerability or an SQL injection vulnerability in the Catalog section by manipulating attribute_code.
  • An authenticated user with administrative privileges can execute arbitrary code through a Phar deserialization vulnerability.
  • An authenticated user with privileges to configure store settings can execute arbitrary code execution through server-side request forgery.
  • An authenticated user with privileges to configure email templates can execute arbitrary code via a PHP archive deserialization vulnerability.
  • An authenticated userwith administrative privileges can upload PHP files to access sensitive data because NGINX configuration allows PHP files to be executed in any directory.
  • An authenticated user with administrative privileges can embed arbitrary code when editing the Newsletter section of the admin panel.
  • An authenticated user with privileges to the Customer Segments section of the Admin can use a stored cross site scripting vulnerability to embed malicious code.
  • An authenticated user can create a B2B account without administrative approval due to an authentication bypass vulnerability.
  • An authenticated customer can control other customer's requisition lists by using a web API endpoint to send a request to the server. (This overrides the customer_id parameter.)
  • An authenticated user with privileges to configure email templatescan execute arbitrary SQL queries.
  • An authenticated user with privileges to the Admin requisition list ID can use a cross-site scripting vulnerability to embed malicious code.         
  • An authenticated user with administrative privileges can embed arbitrary code in the Conditions tab of Admin Shopping Cart Rules page.
  • An attacker can delete a product attribute within the context of authenticated administrator's session through cross-site request forgery.
  • An attacker can delete the site map within the context of an authenticated administrator's session through cross-site request forgery.
  • An attacker can delete all synonyms groups within the context of an authenticated administrator's session through cross-site request forgery.
  • An authenticated user with administrative privileges can embed arbitrary code via a stored cross site scripting vulnerability in the Terms & Conditions with Checkbox Text field in the admin panel.
  • An authenticated user with privileges to edit the Admin notification section can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to product name fields on the Admin can use stored cros-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the B2B packages through an unsanitized URL parameter can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the Admin **Stores** > **Attributes** > **Product ** configuration area can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the Checkbox Custom Option Value field on the Admin can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to B2B packages through an unsanitized URL parameter can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with administrative privileges can embed malicious code in the Attribute Label for Media Attributes section in the admin panel.
  • An authenticated user with administrative privileges can manipulate the notification feed, which allows an attacker to use a cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the Admin **Products** > **Catalog** configuration section can use a stored cross-site scripting vulnerability to embed malicious code.
  • An authenticated user with privileges to the Admin product configurations section can use a stored cross-site scripting vulnerability to embed malicious code.
  • An attacker can delete the content of wyswig directory within the context of authenticated administrator's session via cross-site request forgery.
  • Send to a friend page can be used for spamming due to missing CAPTCHA.
  • Magento 2.x default configuration allows public access to custom PHP settings.
  • An authenticated user canview Personally identifiable details of another user via exploiting an Insecure Direct Object References vulnerability.
  • Spam using share a wishlist functionality.
  • Exception error reports capture administrative credentials in clear text format.
  • An authenticated user can enumerate and access unauthorized wishlist via insecure direct object reference in the application.
  • An authenticated user can add and execute a malicious script on an HTML page through a vulnerable CLI command due to lack of data validation.

Successful exploitation of the most severe of these vulnerabilities could result in remote code execution. This may result in sensitive data leakage such as admin sessions and password sessions. This may also be used to obtain access to an admin dashboard and customer personal and financial data.

Actions: 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • After appropriate testing, immediately apply updates provided by Magento to affected systems.
  • Apply the Principle of Least Privilege to all systems and services. 
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.