CVE-2024-34102(a.k.a CosmicSting) How to Defend
Tags
XXE WebAPI security tool security Magento 2 How to defend CVE-2034-34102 cve Customization CosmicSting Cosmic Sting bug

How to fix CVE-2024-34102 -- a CVSS Score 9.8(Critical) and RCE possible vulnerability? Upgrade Magento to greater than 2.4.7-p1 is the best solution, but sometimes this could not be done in a few days and your store may just get hacked before applying the official patch. And, the most concerns from our consultees is the cost for upgrading Magento to the newest version.

In the previous blog, we described how to attack by exploiting CVE-2024-34102. In this blog, we provide a simple way to fix this security hole.

CVE-2024-34102 Cosmic Sting Online Checker

Check your Magento store now and get the result within 20 seconds.

The Simple Way

As you can see, \Magento\Framework\Simplexml\Element's constructor inherits the PHP built-in SimpleXMLElement which is unsafe due to it allows dangerous input parameters.

The implementation of our fix is extremely simple. Just "preference" the \Magento\Framework\Simplexml\Element class and override its constructor:

/**
 * This code has a limitation, please read below.
 *
 * @link https://github.com/wubinworks/magento2-cosmic-sting-patch/blob/8a95fb819a0109ed434d14b29c4ad0d552d5501c/Framework/Simplexml/Element.php
 * @version 1.0.0
 */
public function __construct(
    string $data,
    int $options = 0,
    bool $dataIsURL = false,
    string $namespaceOrPrefix = '',
    bool $isPrefix = false
) {
    if (XmlSecurity::hasEntity($data)) {
        throw new \Laminas\Xml\Exception\InvalidArgumentException(
            'Input XML string should not contain ENTITY.'
        );
    }
    parent::__construct(
        $data,
        $options,
        false,
        $namespaceOrPrefix,
        $isPrefix
    );
}

The Logic

  1. Check if the input string $data is evil(i.e., contains ENTITY).
    The safest and most effect way is to use this utility.
    If you want to know more, also read this blog.
  1. The third parameter $dataIsURL is also dangerous, we force it to false.

To Install Our Patch

Read instructions here or read on Github.

The Simple Way's Limitation and Resolution

The Simple Way requires PHP >= 8.

As you may have already noticed, before PHP 8, the SimpleXMLElement::__construct method is a final method so it cannot be overridden.

This issue has already been solved in v1.2.0.

If you are using PHP 7, install by running:

composer require 'wubinworks/module-cosmic-sting-patch:^1.2'

Note v1.2.0 is both PHP 7 and PHP 8 compatible.

Share

If you found this blog post useful or solved your problems, please share it!