CosmicSting attack threatens 75% of Adobe Commerce stores
by Sansec Forensics Team
Published in Threat Research − June 18, 2024
One week after the release of a critical security fix, just a quarter of all Adobe Commerce and Magento stores has been patched.
Read his analysis ⟶
How I Was Paid $9,000 for a Critical Vulnerability in Adobe Commerce
CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years. In itself, it allows anyone to read private files (such as those with passwords). However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution. This killer bug grants full control to adversaries and the attack can be automated, which may lead to mass-hacks on a global scale.
| CVE | 2024-34102 |
|---|---|
| Type | unauthorized XXE, RCE together with CVE-2024-2961 |
| Severity | CVSS 9.8 |
| Automatable | no interaction needed |
| Exploit | verified by Sansec, not public yet |
| Credits | discoverd by spacewasp |
"It's a bad one"
Its record severity score of 9.8 on the Common Vulnerability Scoring System (CVSS), a 10-point scale, prompted this Adobe statement:
It's a bad one and you should patch. It's likely only a matter of time before somebody posts an analysis and reproduction steps.
Adobe issued a patch for CosmicSting attacks last week. While Adobe (naturally) did not share specifics of the attack, Sansec was able to reproduce the attack from the patch code. We believe bad actors are already working on the same.
For context: similarly critical security issues have occurred only three times before in Magento’s history:
At each of these occasions, tens of thousands of stores got hacked, sometimes within hours. So it is vital to upgrade your stores as soon as possible.
Upgrade concerns
Sansec - who monitors global eCommerce platforms - found that just 25% of stores have upgraded since the security release last week. A complicating factor is that the security release may break existing checkout functionality. Adobe backported the PCI-imposed CSP/SRI implemention from 2.4.7. This will likely break third party Javascript and inline scripts in your checkout flow. Sansec recommends switching to 'Report-Only' mode before upgrading. This way, your checkout will keep working, and you will have sufficient time to investigate incompatible modules before the new PCI requirements come into effect in April 2025.
It is also recommended to enable CSP monitoring. Sansec offers a free CSP monitoring service which you can setup in a few minutes.
Emergency fix
If you somehow cannot upgrade within the coming days, we provide an unofficial emergency fix.
Add the following code to the top of app/bootstrap.php. It will block the majority of CosmicSting attacks. Please note that we provide this fix without warranty, use at your own risk.
$input = file_get_contents('php://input');
if (strpos(json_encode(json_decode($input)), 'sourceData') !== false ||
strpos($input, 'sourceData') !== false) {
http_response_code(503);
exit;
}
You should still schedule a system upgrade, as adversaries may find ways to circumvent this measure.
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
