Vulnerability Affecting Magento Web E-Commerce Platform Actively Exploited

Number: AL15-005
Date: 24 April 2015

Purpose

The purpose of this alert is to bring attention to remote code-execution vulnerability in the community and enterprise editions of Magento content management system for e-commerce sites that could lead to financial fraud.

Assessment

CCIRC is aware of open source reporting of an active exploitation of the vulnerability. Attackers can bypass security mechanisms and gain control of the e-commerce site and its database, possibly allowing for credit card theft or access to administrative privileges. The vulnerability can also be exploited to change the price a web merchant charges for specific items. Exploitation involves combining several CVEs (CVE-2015-1397, CVE-2015-1398, CVE-2015-1399).

Confirmed vulnerable: 1.9.1.0 CE and 1.14.1.0 EE (latest releases as of this writing)

Magento has released security patch (SUPEE-5344) to address this issue.

Suggested action

CCIRC recommends prioritization of this patch due to the exposure of these systems to the Internet.

References

Vendor Patch: https://www.magentocommerce.com/products/downloads/magento/
POC Code: http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/
Exploit Code : https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: