Exploit appeared for a critical vulnerability in Magento, and Adobe fixed a second similar bug

An exploit appeared for a dangerous zero-day vulnerability in Magento and Adobe Commerce (CVE-2022-24086), and Adobe developers discovered that the problem could be exploited in another way, released a new patch and assigned the new vulnerability ID CVE-2022-24087.

Let me remind you that the 0-day vulnerability CVE-2022-24086 (9.8 points out of 10 on the CVSS scale) was discovered and fixed last week. The bug presented an error that allowed remote arbitrary code execution without authentication. According to Adobe, the root of the problem was incorrect input validation.

As early as last week, the company warned that this problem was already being abused by hackers, albeit in rare targeted attacks so far. In total, researchers estimate that there are more than 17,000 sites vulnerable to this problem, some of which are owned by large enterprises.

Adobe has now updated the security bulletin for CVE-2022-24086 with a new issue that has the ID CVE-2022-24087 and the same CVSS score. The new problem can also lead to remote code execution and be used in attacks. The company’s specialists have already released additional patches for Adobe Commerce and Magento Open Source.

The discovery of the second critical error (CVE-2022-24087) is attributed to information security researchers known under the pseudonyms Eboda and Blaklis. Moreover, they emphasize that applying only the first patch is not enough.

A new patch have been published for Magento 2, to mitigate the pre-authenticated remote code execution. If you patched with the first patch, THIS IS NOT SUFFICIENT to be safe. Please update again!Blaklis calls on Twitter.
Fabian Schmengler
Fabian Schmengler

Interestingly, according to Fabian Schmengler, another information security specialist and certified Magento developer, the latest fix for CVE-2022-24087 (MDVA-43443) breaks the CSS configuration for Template Styles in email templates “because all curly braces are removed to clean up input”. However, he writes that less colourful emails are a good compromise, especially if it allows you not to be exposed to the RCE vulnerability.

In the meantime, Positive Technologies analysts even reported that they had created a working exploit for the original CVE-2022-24086 problem. The researchers report that attackers exploiting this bug can gain “full access to the target system with web server privileges.”

Bleeping Computer, which spoke with experts, says that trying to protect against the exploitation of this bug through the WAF setting can hardly be called a good idea, since the problem can be exploited in several ways that do not imply the presence of “specific and fatal constructs in the request.”

According to Positive Technologies, the development of a full-fledged exploit is a rather difficult task, while the technical details are not available. However, once this hurdle is removed, attacks on vulnerable systems become “reasonably simple and straightforward.”

The researchers stated that they do not intend to make the PoC exploit they created public and are not even going to share it privately with colleagues in the information security industry.

Recall also that last September Magento-based stores suffered from the biggest attack since 2015.

User Review
1 (1 vote)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button