A vulnerability dubbed “CosmicSting” impacting Adobe Commerce and Magento websites remains largely unpatched nine days after the security update has been made available, leaving millions of sites open to catastrophic attacks.

According to Sansec’s stats, roughly three out of four websites using the impacted e-commerce platforms have not patched against CosmicSting, which puts them at risk of XML external entity injection (XXE) and remote code execution (RCE).

“CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years,” says Sansec.

“In itself, it allows anyone to read private files (such as those with passwords). However, combined with the recent iconv bug in Linux, it turns into the security nightmare of remote code execution.”

The flaw, rated critical (CVSS score: 9.8), impacts the following product versions:

• Adobe Commerce 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
• Adobe Commerce Extended Support 2.4.3-ext-7 and earlier, 2.4.2-ext-7 and earlier, 2.4.1-ext-7 and earlier, 2.4.0-ext-7 and earlier, 2.3.7-p4-ext-7 and earlier.
• Magento Open Source 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8
• Adobe Commerce Webhooks Plugin versions 1.2.0 to 1.4.0

Sansec says that despite Adobe omitting technical details on its bulletin to avoid fueling active exploitation, effective attack methods can be easily inferred from the patch code, which its analysts used for reproducing the attack.

Based on the severity and low complexity of deducing effective attack paths, Sansec estimates that CosmicSting ticks all boxes to become one of the most damaging attacks in e-commerce’s history, alongside “Shoplift“, “Ambionics“, and “Trojan Order.”

Apply fix or mitigation now

The vendor released fixes for CVE-2024-34102 with the following versions, which e-commerce platform administrators are recommended to apply as soon as possible:

• Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
• Adobe Commerce Extended Support 2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8
• Magento Open Source 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9
• Adobe Commerce Webhooks Plugin version 1.5.0

Sansec recommends that site admins switch to ‘Report-Only’ mode before upgrading to avoid an issue that may break checkout functionality.

For those who are unable to upgrade right now, they are advised to take the following two measures:

First, check if you’re Linux system is using a glibc library vulnerable to CVE-2024-2961 using the below command, and upgrade as required. The command below will download a C source code file, compile it, and run it on your computer to detect if you’re vulnerable.

curl -sO https://sansec.io/downloads/cve-2024-2961.c &&
gcc cve-2024-2961.c -o poc &&
./poc

Next, you need to add the following “emergency fix” code on ‘app/bootstrap.php’ to block most CosmicSting attacks.

if (strpos(file_get_contents('php://input'), 'dataIsURL') !== false) {
    header('HTTP/1.1 503 Service Temporarily Unavailable');
    header('Status: 503 Service Temporarily Unavailable');
    exit;
}

BleepingComputer has not tested the fix and cannot guarantee its effectiveness or safety, so use it at your own risk.