Notice: Monitoring services will be discontinued from March 31st, 2019.
The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server. The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system.
This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions. Check Point customers are already protected from exploitation attempts of this vulnerability through the IPS software blade.
How did Check Point discover this vulnerability?
Magento-based e-Commerce businesses are advised to apply the designated patch SUPEE-5344 released by Magento. Although Check Point did not witness any exploitation attempts of this vulnerability in the wild, administrators are advised to monitor logs for patterns matching the technical description.
Check Point IPS currently protects against exploitation attempts of this vulnerability.
Vulnerable Versions
Confirmed vulnerable: 1.9.1.0 CE and 1.14.1.0 EE
Synopsis
Magento is a popular eCommerce platform purchased by eBay in 2011. It has 2 versions:
• A community version, which is open-sourced and contains code contributed from the community.
• An enterprise version, which offers more features as well as customer support and other premium benefits.
We discovered a vulnerability-chain which ultimately allows an unauthenticated attacker to execute PHP code in the vulnerable server. This chain consists of a number of vulnerabilities, which are described further in the technical description.
These vulnerabilities have been assigned CVE-2015-1397, CVE-2015-1398, CVE-2015-1399.
Disclosure Timeline
January 14, 2015 – First contact with Magento Security
January 15, 2015 – Provided complete vulnerability report including suggested fixes
February 9, 2015 – Patch Released by Magento (SUPEE-5344 available here)
April 22, 2015 – Public Disclosure