Another way(as an extension) to fix CVE-2024-34102(XXE vulnerability) with extra XML Security enhancement. If you cannot upgrade Magento or cannot apply the official patch, this one is an alternative solution.
If you don't fix this vulnerability, the attacker can RCE. We've already observed real world attacks.
2.3.0 ~ 2.4.4-p8
2.4.5 ~ 2.4.5-p7
2.4.6 ~ 2.4.6-p5
2.4.7
CVE-2024-34102(aka Cosmic Sting) was identified as XXE vulnerability and the details were published on June 2024. By exploiting this vulnerability, the attacker can read secret and important configuration files on the server.
Typically, the attacker will extract encryption keys in env.php.
In most hacked servers, we observed one or multiple of the followings:
- Admin level WebAPI access with fake token
- Fake orders
- Unknown Admin accounts created
- Backdoors
- Magento core files modified
- PHP script that steals sales data
- Inject Javascript to CMS pages to steal credit cards
- And maybe more
If you want to know "How Exactly It Works", we have very detailed blog posts that examine and fix the vulnerability.
The attacker can craft fake Admin Token by using the stolen encryption key. With the fake Admin Token, the attacker is able to perform Admin level actions such as creating fake orders, modifying CMS Block to inject malicious Javascript and more.
XXEs are now RCEs
As CVE-2024-34102 enables the ability to read arbitrary file on the server, the attacker can now combine it with a bug(CVE-2024-2961) discovered in glibc to run any command on the server. One real case we experienced was that multiple backdoors got downloaded and installed.
The glibc bug exists in glibc version <= 2.3.9
ldd --version | grep -i 'libc'
There are 3 Ways Available:
- Upgrade Magento to an unaffected version(preferably the latest version)
- Apply official isolated patch
- Install this extension
Note you still need to fix "Secondary Disasters" after completing the above step.
This step invalidates crafted fake tokens to completely deny WebAPI access from attacker.
If you are unsure whether encryption keys are leaked or not, do this step.
Some Magento 2.4 versions have a bug that you need to apply a patch before performing key rotation.
Alternative Encryption Key Rotation Tool
New Magento encryption key format
Update glibc to >= 2.40 to fix CVE-2024-2961.
Magento 2.3
Magento 2.4
composer require wubinworks/module-cosmic-sting-patch
This extension requires dependencies that are not included in default Magento installation, so you need to use composer.
If you like this extension or this extension helped you, please ★star☆ this repository.
You may also like:
Magento 2 patch for CVE-2022-24086, CVE-2022-24087
Magento 2 Disable Customer Change Email Extension
Magento 2 Disable Customer Extension