In this release we will deploy a preliminary new version of our Web Application Firewall which will block various forms of known attacks that have been encountered in the wild on a selection of the vulnerable Magento 1 extensions that were disclosed in this blogpost by Willem de Groot, security researcher and ex-Byte founder.
The extensions in question all suffer from a vulnerability similar to the type of attack that was blocked by the SUPEE-8788 patch in the Magento core in 2016. For a refresher on that specific SUPEE, check out this excellent in-depth blog by Max Chadwick. While that vulnerability was promptly fixed in the Magento base, external vendors for modules haven’t all followed suit.
There are still many modules that implement unsanitized and unvalidated PHP value unserialization instead of replacing those functions with something like json_decode. Since then hackers have found ways to start exploiting PHP Object Injection in these third party extensions. With the media attention these vulnerabilities have been getting we wanted to address this on the server level where possible.
Today on Hypernode we will block one of the three types of variants of probes that we have seen. There seems to be a variant where the payload is Base64 encoded as a GET parameter, one where it is passed as a plain HTML encoded string and one where the payload is in the body of a POST. Which method is used depends on the module and endpoint that is being targeted.
We will update nodes that we have identified as being part of the risk group for this vulnerability first and all other nodes will gradually receive this update as well over the course of the coming week. Supplementing WAF rules for other variants will be deployed soon as well. Additionally, MageReport checks are being worked on for the modules of which we can detect this vulnerability from the outside. An update about that will be posted as soon as we are ready to release.
While on Hypernode we aim to block ‘low hanging fruit’ attacks on the server level, remember that it is still important to patch or update your modules. If you use any of the relevant modules, please take the time to read Willem’s article for any available updates and fixes or to urge the vendor of your extension to provide one if there is none yet.