Magento 2 critical vulnerability (CVE-2022-24086 & CVE-2022-24087)

by Sansec Forensics Team

Published in Threat Research − February 14, 2022

Adobe has released two emergency patches for a critical vulnerability in Magento 2. You need to apply both patches, in order. The vulnerability allows unauthenticated remote code execution (RCE), which is the worst possible type. Actual abuse has already been reported. To illustrate the severity, Adobe issued a patch on Sunday, which is highly unusual for Magento.

Sansec expects that mass scanning and -exploitation will happen within days.

Magento 2 critical vulnerability (CVE-2022-24086 & CVE-2022-24087)

Update Feb 21st, 2022: Sansec has observed the first actual attacks in the wild. Patch now! Unfortunately, this validates our previous prediction that abuse would start within days. Attacks are coming from 45.134.20.11 and target a variety of URL endpoints, making it harder to add protection via a WAF/firewall. Magento 2 merchants should really patch now.

Update Feb 17th, 2022: Adobe has released another emergency patch. Merchants running Magento 2.3.3 and above need to urgently apply both patches:

MDVA-43395 (Feb 13th)
MDVA-43443 (Feb 17th)

The text below has been updated.

How to fix

If you are running Magento 2.3 or 2.4, install both patches from Adobe asap, ideally within the next few hours.

If you are running a version of Magento 2 between 2.3.3 and 2.3.7, you should be able to manually apply the patches as it only concerns a few lines.

If you are running Magento 2.3.3 or below, you are not directly vulnerable. However, Sansec still recommends to manually implement the patches (at the very least the code changes that affect vendor/magento/module-email/Model/Template/Filter.php).

For anyone using vaimo/composer-patches, you can apply the patch file across magento/framework and magento/module-email like this (credits Luke Rodgers), it will apply both patches in the correct order.

        "patches": {
            "*": {
                "Apply MDVA-43395": {
                    "source": "patches/magento/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch",
                    "targets": [
                        "magento/framework",
                        "magento/module-email"
                    ]
                },
                "Apply MDVA-43443": {
                    "source": "patches/magento/MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch",
                    "targets": [
                        "magento/framework",
                        "magento/module-email"
                     ],
                     "after": "MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch"
                }
            },

More detailed guides on how to implement these patches using composer:

Hot fix measures for ISPs

Due to the dynamic nature of the vulnerability, there is currently no method to filter on this attack pattern via a proxy or webserver. In order to identify attack probes, you could log HTTP POST requests with the following in the body. It may produce false positives so should be manually examined.

{{ .... }}

Implications

These vulnerabilities have a similar severity as the Magento Shoplift vulnerability from 2015. At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploit publication.

We strongly recommend merchants to implement counter measures today. Our eComscan security monitor will alert you about any unpatched or incorrectly patched installations.

References

What is Magecart?

Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?

About Magecart

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Learn more