Flash Notice: [CVE-2021-24086] Critical RCE Bug in Adobe Commerce, Magento

Overview of CVE-2021-24086

On February 18, 2022, Adobe released a patch for CVE-2021-24086 that fixes an RCE bug in the Magento Open Source and Adobe Commerce platforms. The zero-day vulnerability was under active attack last weekend, resulting in Adobe releasing an emergency patch. Discovered by Eboda and Blaklis, CVE-2021-24086 is an arbitrary code execution vulnerability.  

This week, researchers at Positive Technologies bypassed the patch for CVE-2021-24086 and reproduced the exploit. The new exploit, now tracked as CVE-2022-24087, is an elevation of privilege vulnerability in the Azure IoT CLI extension.  

If an attacker is successful, he could deploy malicious code on a website and attain un-authenticated admin-level privileges. CVE-2022-2487 has a rating of 9.8 on the CVSS vulnerability-scoring system and unlike CVE-2022-24086 (which has limited attacks), has not been exploited in the wild. In Adobe’s update, the company stated that they are aware of the vulnerability, and they’ve released an update for these versions of Adobe Commerce and Magento Open Source:  

• 2.3.3-p1 - 2.3.7-p2  
• 2.4.0 - 2.4.3-p1. 

Although Positive Technologies was able to successfully reproduce CVE-2021-24086, they have yet to share proof-of-concept (PoC) for the exploit with the public. There is a user guide for directions on how to manually install the update, which can be found on the company’s website.  

The Positive Technologies team stated that a web application firewall (WAF) won’t help defend against attacks due to the various ways one can leverage the RCE bug. This kind of issue is extremely useful for threat actors looking to skim data from online stores (credit cards).  

How Avertium is Protecting Our Customers:

• Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack. 
  
• Avertium’s XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions. 
  
• We offer EDR endpoint protection through SentinelOne, Sophos, and Microsoft Defender.  

• • SentinelOne prevents threats and extends protection from the endpoint to beyond. Find threats and eliminate blind spots with autonomous, real time, index-free threat ingestion and analysis that supports structured, unstructured, and semi-structured data.  

• Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that  wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it's an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes.  

Avertium's recommendations

To resolve this vulnerability, Adobe recommends the following patches for CVE-2021-24087:  

• MDVA-43395 (must be applied first) 
• MDVA-43443 (must be applied on top of the first patch) 

INDICATOR'S OF COMPROMISE (IOCS):

At this time, there are no known IoCs. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.   

references

Security updates available for Adobe Commerce APSB22-12 – Adobe Commerce Help Center (magento.com) 

Adobe Security Bulletin 

Researchers Made a Working Exploit For Adobe's Magento Vulnerability (techdator.net) 

Related Reading:

BlackCat Ransomware and Triple Extortion

Contact us for more information about Avertium’s managed security service capabilities.