Review of the history of this SUPEE Magento vulnerability
SUPEE-5344 and SUPEE-1533 vulnerabilities were discovered (but not divulged, as far as 5344 is concerned) in February, 2015. The 5344 vulnerability, more recent, reveals an issue in a function of Magento’s Wysiwyg editor, allowing to bypass the authentication and to execute code or SQL requests. Thus, pirates can create, for instance, a new user account and use it to install modules and extensions giving them a large control over the victim’s website.
The technical details of this vulnerability have only recently been officially communicated. However, the vulnerability was already in circulation in the security field. You will find on the “Checkpoint” page a good summary of how it works.
Today, the attack has been mechanised by pirates, who use botnets to exploit it automatically. The obvious consequences are that the unpatched websites are being compromised, one after the other. It is VITAL to apply the patch as soon as possible.
E-Commerce: security first!
NBS System is one of the main actors in the French Magento community. To this day, the company hosts more that 60% of the “Magento Enterprise” stock, and 15% of the “CE” stock in France. It allows the company to have an unbiased outlook on Magento’s activity.
Following the discovery of the SUPEE-5344 vulnerability, NBS System launched a communication to all of its Magento-based clients. Its goal? To inform the websites about the risks related to this vulnerability and to ask them to apply the patch offered by Magento as soon as possible. Despite the jeopardy the flaw represents, very few sites set up the aforementionned patch; because of a lack of time/feasability or even by lack of awareness of the risks. As far as NBS System is concerned, only a few tens of sites applied the patch.
At hosting companies which do not have advanced security devices/measures, the vulnerability is exploitable. A victim website can consider itself to be completely compromised (backdoor) and, a minima, to have lost its clients and orders databases.
At NBS System, within the Magento clients stock having chosen a standard hosting service (non secured by the private Cloud CerberHost), almost 3% of the websites were identified as compromised, and this figure raises.
The CerberHost offer natively blocks the process allowing pirates to bypass the authentication. Clients having chosen this very high security Cloud device were thus not compromised. However, few among them took the time to apply the patch (they probably feel serene enough with CerberHost’s protection). It is however important for ALL websites to set up this update.
How can I protect myself?
To correct this vulnerability, you must apply the patch that you can find on Magento’s downlod page. If your website is compomised, you must delete the created user account (if there is one) and the additional extentions that were installed. Changing all the passwords will also allow you to set out again on a sane basis! Unfortunately, your data has probably already been stolen, it is too late to change that.
Then, you must re-do the compilation with the “Magento Compiler”, otherwise the website has a risk of not being properly patched.
Besides, if the core was overloaded, it is also possible that the patch won’t correct the vulnerability, and that you will have to install it by hand. You will find more information here.
NBS System’s clients can get assistance from the Support to carry out some operations, and from our security think tank (SECOPS) to try and minimize the damage on compromised websites.