CosmicSting attack threatens 75% of Adobe Commerce stores
by Sansec Forensics Team
Published in Threat Research − June 18, 2024
One week after the release of a critical security fix, just a quarter of all Adobe Commerce and Magento stores has been patched.
CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years. In itself, it allows anyone to read private files (such as those with passwords). However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution. This killer bug grants full control to adversaries and the attack can be automated, which may lead to mass-hacks on a global scale. (Update July 1st: this is happening right now)
| CVE | 2024-34102 |
|---|---|
| Type | unauthorized XXE, RCE together with CVE-2024-2961 |
| Severity | CVSS 9.8 |
| Automatable | no interaction needed |
| Exploit | verified by Sansec, not public yet |
| Credits | discoverd by spacewasp |
"It's a bad one"
Its record severity score of 9.8 on the Common Vulnerability Scoring System (CVSS), a 10-point scale, prompted this Adobe statement:
It's a bad one and you should patch. It's likely only a matter of time before somebody posts an analysis and reproduction steps.
Adobe issued a patch for CosmicSting attacks last week. While Adobe (naturally) did not share specifics of the attack, Sansec was able to reproduce the attack from the patch code. We believe bad actors are already working on the same.
For context: similarly critical security issues have occurred only three times before in Magento’s history:
At each of these occasions, tens of thousands of stores got hacked, sometimes within hours. So it is vital to upgrade your stores as soon as possible.
Attack patterns
As of June 27th, we see actual attack and mass scanning attempts in the wild. We collect and publish live CosmicSting attacker infrastructure and indicators of compromise here.
Upgrade concerns
Sansec - who monitors global eCommerce platforms - found that just 25% of stores have upgraded since the security release last week. A complicating factor is that the security release may break existing checkout functionality. Adobe backported the PCI-imposed CSP/SRI implemention from 2.4.7. This will likely break third party Javascript and inline scripts in your checkout flow. Sansec recommends switching to 'Report-Only' mode before upgrading. This way, your checkout will keep working, and you will have sufficient time to investigate incompatible modules before the new PCI requirements come into effect in April 2025.
It is also recommended to enable CSP monitoring. Sansec offers a free CSP monitoring service which you can setup in a few minutes.
Emergency fix
Previously Sansec provided an emergency fix, but as of June 27th, Adobe now provides an official, isolated security fix that can be applied all the way back to Magento 2.2.0, without having to upgrade. If you had previously applied the Sansec fix, we recommend to replace it with the the official Adobe patch.
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
