Critical SQL Injection Vulnerability in Magento Exposes Sites to Skimming Attacks

Delaware, USA – March 29, 2019 – Magento has released the update this week patching a critical vulnerability in the platform. It is not known whether it was used for attacks in the wild, but cybercriminal groups who compromise commercial sites to install skimmers will not leave SQL injection vulnerability unheeded. Magento CMS is used on more than a quarter of all websites on the Internet, and the vulnerability, called PRODSECBUG-2198, allows attackers to gain admin access to the site by stealing the logins and password hashes of users with a necessary access level. Shortly after the release of the update, researchers at Sucuri reverse-engineered it and created working PoC exploit to study the possible impact. According to them, the exploitation of PRODSECBUG-2198 can be automated to conduct widespread attacks, so it is necessary to install the update as soon as possible. To investigate if your website has been attacked, you can check the access_log file for multiple hits to ‘catalog/product/frontend_action_synchronize’. Multiple hits from a single IP may indicate a successful compromise and the need to change passwords.

Even though so far no confirmed attacks are using this vulnerability, MageCart groups most likely won’t miss the opportunity to install skimmers on several hundreds or even thousands of online shopping sites using the vulnerable version of Magento. To uncover compromise or unauthorized access attempts, you can use the Web Application Security Framework rule pack: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight

UPDATE!
Onilab, an official Magento development partner, has published a detailed article describing the March 2019 updates and how to install them: https://onilab.com/blog/magento-march-2019-update-sql-injection-fixes-highlights/
The latest Magento updates fix 37 security issues, and it is essential to install them as soon as possible.