Local Storage seems to be disabled in your browser.
For the best experience on our site, be sure to turn on Local Storage in your browser.
Magento 2 CVE-2024-34102 Cosmic Sting Patch
An alternative solution(as a Magento 2 extension) to fix the XXE vulnerability CVE-2024-34102(aka Cosmic Sting). If you cannot upgrade Magento or cannot apply the official patch, try this one.
Magento 2 Patch for CVE-2024-34102(aka Cosmic Sting)
An alternative solution(as a Magento 2 extension) to fix the XXE vulnerability CVE-2024-34102(aka Cosmic Sting). If you cannot upgrade Magento or cannot apply the official patch, try this one.
If you don't fix this vulnerability, the attacker can RCE. We've already observed real world attacks.
CVE-2024-34102 Affected Magento Versions(starting from 2.3)
2.3.0 ~ 2.4.4-p8
2.4.5 ~ 2.4.5-p7
2.4.6 ~ 2.4.6-p5
2.4.7
Background
CVE-2024-34102(aka Cosmic Sting) was identified as XXE vulnerability and the details were published on June 2024. By exploiting this vulnerability, the attacker can read secret and important configuration files on the server.
Typically, the attacker will extract encryption keys in env.php
.
In most hacked servers, we observed one or multiple of the followings:
- Admin level WebAPI access with fake token
- Fake orders
- Unknown Admin accounts created
- Backdoors
- Magento core files modified
- PHP script that steals sales data
- Inject malicious Javascript to CMS pages to steal credit cards
- And maybe more
If you want to know "How Exactly It Works", we have very detailed blog posts that examine and fix the vulnerability.
Secondary Disasters(Very Important)
Fake Admin Token
The attacker can craft fake Admin Token by using the stolen encryption key. With the fake Admin Token, the attacker is able to perform Admin level actions such as creating fake orders, modifying CMS Block to inject malicious Javascript and more.
Chained with CVE-2024-2961
XXEs are now RCEs.
As CVE-2024-34102 enables the ability to read arbitrary file on the server, the attacker can now combine it with a bug(CVE-2024-2961) discovered in glibc
to run any command on the server. One real case we experienced was that multiple backdoors got downloaded and installed.
The glibc
bug exists in glibc
version <= 2.3.9
Check glibc
version by running
ldd --version | grep -i 'libc'
How to fix?
Fix the Main Vulnerability CVE-2024-34102
There are 3 Ways Available:
- Upgrade Magento to an unaffected version(preferably the latest version)
- Apply official isolated patch
- Install this extension
Note you still need to fix "Secondary Disasters" after completing the above step.
Rotate Encryption Key
This step invalidates crafted fake tokens to completely deny WebAPI access from attacker.
If you are unsure whether encryption keys are leaked or not, do this step.
Additional Info
Some Magento 2.4 versions have a bug that you need to apply a patch before performing key rotation.
Alternative Encryption Key Rotation Tool
New Magento encryption key format
Fix glibc
Bug(Strongly Recommended)
Update glibc
to >= 2.40 to fix CVE-2024-2961.
Don't forget to reboot server.
Feature
This extension
- Fixes CVE-2024-34102(Can PASS the Official Security Scan Tool)
- Version 1.2.0 new feature: Who Attacked My Site
For those who are interested in the attacker, check Logging section.
Logging
Enable Logging
By default, logging is disabled for performance consideration. To enable, open a local module and merge the following to etc/di.xml
.
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
<type name="Wubinworks\CosmicStingPatch\Plugin\Framework\Webapi\ServiceInputProcessor">
<arguments>
<argument name="loggerConfig" xsi:type="array">
<item name="ip" xsi:type="array">
<item name="enabled" xsi:type="boolean">true</item>
</item>
</argument>
</arguments>
</type>
</config>
Log Location
<magento_root>/var/log/wubinworks_cve-2024-34102.log
Incorrect IP Address?
If you got incorrect IP such as 127.0.0.1
, empty string or a CDN's IP, this means your web server, middleware, and/or proxy server have incorrect settings. There is no way to tell the real IP address without fixing those incorrect settings.
Requirements
Magento 2.3 or 2.4
PHP Version Compatibility
Version 1.0.0 and 1.1.0 support PHP 8 only
Version 1.2.0(re-designed) supports PHP 7 and PHP 8
Installation
Latest:
composer require wubinworks/module-cosmic-sting-patch
Installation Tips:
- Version 1.0.0 and 1.1.0 must be installed via
composer
- Version 1.2.0 can be installed via
composer
or directly toapp/code
♥
If you like this extension or this extension helped you, please ★star☆ this repository.
You may also like:
Magento 2 Patch for CVE-2022-24086, CVE-2022-24087
Magento 2 Enhanced XML Security
Magento 2 Encryption Key Manager CLI
Magento 2 JWT Authentication Patch
Magento 2 Disable Customer Change Email Extension
Magento 2 Disable Customer Extension
Extension Support
We provide:
- Installation/Upgrade
- Configuration
- Add custom feature
- Resolve conflict
- And more
For service details, please refer to Magento Technical Support Service.
Note we require credentials that have privilege to access your Admin Panel, code base and restart services. We can also use git.
Source Code
https://github.com/wubinworks/magento2-cosmic-sting-patch
100% FREE and 100% Open Code. No registration required.
Installation
composer require wubinworks/module-cosmic-sting-patch
License
- OSL-3.0 License