Researchers found two security vulnerabilities affecting the Magento database plugin MAGMI. These flaws could allow remote code execution attacks.
MAGMI Magento Plugin Vulnerabilities
The cybersecurity firm Tenable has disclosed details about two vulnerabilities affecting the MAGMI Magento plugin. Though the vulnerabilities were different, exploiting the two could lead to the same results – remote code execution attacks.
This flaw exists because the GET and POST endpoints for MAGMI don’t implement CSRF protection, such as random CSRF tokens. An attacker could exploit this vulnerability to perform a CSRF attack by tricking a Magento Administrator into clicking on a link while they are authenticated to MAGMI.
Consequently, exploiting the flaw allows an attacker to hijack admin sessions and execute arbitrary codes on servers hosting MAGMI.
Whereas, the second vulnerability, CVE-2020-5777, existed because of a fallback mechanism. It allowed using default credentials in case of database connection failure. Thus, an attacker could easily exploit this flaw by deliberately failing the database connection, such as, via DoS attacks.
However, successful exploitation of this vulnerability required certain conditions. As elaborated by Tenable,
A remote attacker can trigger this connection failure if the Mysql setting max_connections (default 151) is lower than Apache (or another web server) setting MaxRequestWorkers (formerly MaxClients) (default 256). This can be done by sending at least 151 simultaneous requests to the Magento website to trigger a “Too many connections” error, then use default magmi:magmi basic authentication to remotely bypass authentication.
Again, exploiting this bug allowed remote code execution on servers hosting MAGMI.
The researchers have also shared proof-of-concept for both bugs on their GitHub page.
Patch Released, But For One Bug Only
According to the timeline shared in Tenable’s advisory, they disclosed the vulnerabilities to MAGMI developers in June 2020.
Following their report, MAGMI fixed the bug, CVE-2020-5777, with the release of MAGMI 0.7.24. As stated, they removed default authentication and forced admin logins.
However, the other bug, CVE-2020-5776 has still not received a fix (until the time of writing this article). Therefore, the users, despite updating their Magento sites, will remain vulnerable to potential attacks.
Hence, the researchers advise users to consider uninstalling or disabling the plugin until a thorough fix is available.