After researchers discovered an SQL injection vulnerability in Magento’s code, the company issued a security fix for more than 30 different vulnerabilities in its software, which reportedly has put more than 300,000 e-commerce sites at risk of card-skimming attacks.
Online businesses have been strongly urged to download the latest fix, warning that versions prior to 2.3.1 Magento code are vulnerable and being exploited in the wild.
According to the March 26 Magento advisory, "Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.1. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can."
With a common vulnerability scoring system (CVSS) severity rating of 9.8, PRODSECBUG-2192 would allow "an authenticated user with privileges to create newsletter or email templates that can execute arbitrary code through crafted newsletter or email template code."
No proof of concept yet exists, but exploitation is relatively easy according to Satnam Narang, senior research engineer, Tenable."Magento site owners should upgrade to these patched versions as soon as possible. Magento e-commerce websites have been a popular target for cybercriminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed."
Instead of credential dumps, criminals are using stolen credit card dumps that can result in immediate financial losses for consumers and fraud losses for merchants, said Ameya Talwalkar, co-founder and CPO, Cequence. "This is a unique case of an application vulnerability being exploited for business logic abuse. We’ve detected and blocked similar attacks to this that have targeted our own retail customers. This particular attack is very similar to credential checking attacks on login applications using malicious automation or bots."
"Normally retail applications do not allow for $0 transactions, but due to the newly discovered vulnerability in Magento, it allows these $0 transactions and opens the door for checking stolen credit and gift cards for validation."