Adobe has recently released patches for multiple security vulnerabilities affecting its e-commerce platform Magento. As revealed via Adobe’s advisory, these also include some critical and important severity security flaws. Again, these bug fixes arrive outside of the scheduled monthly updates.
Critical Magento Vulnerabilities Fixed
Reportedly, Adobe has addressed two critical vulnerabilities affecting the Magento Platform. Specifically, these vulnerabilities affected Magento Commerce 2 (formerly known as Magento Enterprise Edition) and Magento Open Source 2 (formerly known as Magento Community Edition).
The first of these (CVE-2020-9689) is a path traversal vulnerability. Whereas, the second (CVE-2020-9692) is a Security Mitigation bypass.
Upon exploitation, both the vulnerabilities could an adversary to execute arbitrary codes on the target systems. Though, successful exploitation of both the bugs required an attacker to necessarily possess administrative privileges.
Adobe has acknowledged bug bounty hunters Edgar Boda-Majer of Bugscale and Blaklis for reporting these flaws.
Two Important-Severity Flaws Also Addressed
Aside from the two critical bugs, Adobe also addressed two important severity flaws with the update.
The first of these, CVE-2020-9690, is an Observable Timing Discrepancy flaw. Mitre describes this flaw as,
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
In security-relevant contexts, even small variations in timing can be exploited by attackers to indirectly infer certain details about the product’s internal operations. For example, in some cryptographic algorithms, attackers can use timing differences to infer certain properties about a private key, making the key easier to guess. Timing discrepancies effectively form a timing side channel.
To exploit this vulnerability, should necessarily possess admin privileges. Then, upon exploitation, the flaw could lead to a signature verification bypass.
The other vulnerability (CVE-2020-9691) was a DOM-based Cross-Site Scripting that could lead to arbitrary code execution. Exploiting this flaw required no authentication at the attacker’s end. Hence, it was trivial to exploit.
For reporting these flaws (CVE-2020-9690 and CVE-2020-9691), Adobe credited Wasin Sae-ngow and Linus Särud respectively.
All the four vulnerabilities affected the Magento Commerce 2 versions 2.3.5-p1 and earlier, and Magento Open Source 2 versions 2.3.5-p1 and earlier.
Adobe subsequently patched the four bugs with the release of Magento Commerce 2 and Magento Open Source 2 versions 2.4.0 and 2.3.5-p2.
Users should thus ensure that they have the latest versions in place to avoid any potential exploitation.
Last week, Adobe also released an out-of-band update addressing multiple vulnerabilities in Photoshop.
Let us know your thoughts in the comments.