imge
Login to Securin

Vulnerability Notice: CVE-2024-34102

Vendor:
Adobe

Affected Product:
Commerce, Adobe Commerce, Adobe Commerce Webhooks Plugin

CVSS SCORE:
9.8 of 10 (Critical)

Risk Index:
9.82 of 10 (Critical)

Description

A critical vulnerability has been identified in the XML parser component of Adobe Commerce. The identified vulnerability, classified as CVE-2024-34102, involves an Improper Restriction of XML External Entity Reference (‘XXE’) that can potentially lead to arbitrary code execution. If an attacker successfully exploits this vulnerability, they could gain unauthorized administrative access to the system, exposing cryptographic keys and other sensitive data. The exploitation process involves sending a crafted XML document that references external entities without requiring any user interaction, thus escalating the threat potential significantly.

 

Affected Product(s)

  • Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier versions

 

Technical Details

The CVE-2024-34102 vulnerability is an XXE flaw that impacts several versions of Adobe Commerce. The vulnerability emerges due to improper parsing of XML data that includes external entities. Specifically, this flaw involves nested deserialization, which allows attackers to execute arbitrary code by sending a maliciously crafted XML document. 

Adobe Commerce, a widely used e-commerce platform, becomes highly vulnerable when it improperly restricts the reference to external XML entities. This inadequacy is known as an XXE vulnerability. Typically, an XML parser includes the ability to retrieve external data in the course of processing XML. An attacker with access to the vulnerable endpoint can submit a crafted XML payload, which references external entities that the application should not ordinarily resolve.

One of the critical aspects of this vulnerability, also known as the ‘CosmicSting’ flaw, is that it enables unauthenticated remote code execution. Thus, no user interaction is necessary for the attacker to exploit this XXE flaw. The crafted XML document sent to the application can include external entities referring to malicious content hosted on attacker-controlled servers. A vivid example of exploiting CVE-2024-34102 consists of the attacker directing the application to read a file from the server’s filesystem or force it to make network requests to other resources. By reading sensitive files such as the system’s cryptographic key or credential configuration, the attacker can gain elevated privileges. 

This vulnerability can be triggered through various methods, including specially crafted HTTP POST requests that target specific API endpoints within Adobe Commerce. For instance, POST requests to endpoints like /rest/V1/guest-carts/1/estimate-shipping-methods with XML payloads referencing external entities have been demonstrated as effective attack vectors. The arbitrary file reading aspect of this vulnerability opens the door to unauthenticated remote code execution when combined with other known vulnerabilities like buffer overflows in the glibc’s iconv() function (CVE-2024-2961). Moreover, the threat actors exploiting CVE-2024-34102 do not necessarily stop at exfiltrating sensitive data; they can potentially modify it or inject malicious code, resulting in a fully compromised system. 

This flaw also sets a foundation for more sophisticated attacks, such as those combining multiple vulnerabilities to achieve broader goals like persistent backdoor installations. In terms of product versions affected by this flaw, the impacted versions include but are not limited to: – Adobe Commerce 2.4.7 and earlier – Adobe Commerce 2.4.6-p5 and earlier – Adobe Commerce 2.4.5-p7 and earlier – Adobe Commerce 2.4.4-p8 and earlier Additionally, components like Adobe Commerce Webhooks Plugin for versions 1.2.0 to 1.4.0 are vulnerable. 

The aspect of arbitrary code execution through this vulnerability emphasizes the criticality of applying patches and updates immediately to mitigate the risk. The vulnerability scored 9.8 on the CVSS v3 and 10 on CVSS v2, reflecting its critical nature and the urgency for remediation. The fix involves patching to updated versions where this issue has been addressed effectively. 

Given the high-risk score, organizations using Adobe Commerce are highly encouraged to implement the patches provided by Adobe or to consider alternatives if immediate patching is not feasible. 

 

References

 

Weakness

The main weaknesses associated with this vulnerability include: – Improper Input Validation (CWE-20) – Improper Access Control (CWE-284) – Improper Authorization (CWE-285) – Improper Authentication (CWE-287) – Unrestricted Upload of File with Dangerous Type (CWE-434) – Improper Restriction of XML External Entity Reference (CWE-611) – Improper Neutralization of Input During Web Page Generation (CWE-79) – Server-Side Request Forgery (CWE-918).

 

Impact Assessment

If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data, execute arbitrary code on the affected system, and potentially take over the entire system infrastructure. The compromise could extend to leaking cryptographic keys, which in turn would grant administrative access to the attacker, leading to severe data breaches and compromise of customer information and business operations.

 

Active Exploitation

Currently, there are reports and indications of active exploitation in the wild. Security researchers have identified ransomware groups and other cyber adversaries leveraging this vulnerability to execute attacks. Notably, the CosmicSting flaw has seen proof-of-concept (PoC) codes shared in various forums and exploited in actual attacks against vulnerable Adobe Commerce installations.

 

Ransomware Association

The vulnerability has been linked to ransomware attacks, specifically targeting Adobe Commerce and Magento users. Attackers leverage the XXE flaw to gain initial access to the system, subsequently deploying ransomware like the ABC ransomware, which encrypts the victim’s data and demands a ransom for decryption. The association with ransomware heightens the importance of addressing this security issue promptly.

 

Mitigation and Resolution

We have released a patch that addresses this vulnerability. Please update to version 2.4.7-p1 immediately. The patch, along with detailed instructions on how to apply it, is available on Adobe’s official support page. Additionally, it is advised to review and secure XML parsing configurations to prevent future exposures.

 

Recommendations

  • We strongly recommend that all customers apply the latest patch as soon as possible.
  • Ensure your systems are running the currently supported versions as specified by Adobe’s guidance.
  • Disable the XML external entity parsing feature if it is not required for your operations.
  • Implement network-level protections to block unexpected outbound requests that may result from XXE exploitation.
  • Regularly monitor and audit your systems for unusual activities or indicators of compromise.
  • Stay updated with security advisories from Adobe and other trusted sources related to Adobe Commerce.
  • Consider using Web Application Firewalls (WAF) to add an extra layer of protection.

 

 References

 

View In Platform

https://vi.securin.io/vulnerability/detail/cve-2024-34102

Share This Post On