Magento SUPEE-10975 Patch Assessment

This post is meant to information you about the security updates released for all existing versions of Magento 1. These updates include 19 vulnerability enhancements, the majority of them are listed as “Medium” severity, but there are a number of “High” severity and two “Critical” issues as well. The top critical issues ensure that attackers will not be able to brute force their way into the admin panel via RSS nodes, and includes the removal of functionality which allowed customer credit card info to be stored in the database.

Several of the “High” and “Medium” issues prevent Remote Code Execution (RCE) in admin areas such as customer imports,  CMS pages, video upload, API calls, and dataflows. There are also many that correct Cross-Site Scripting (XSS) opportunities with admin access in the Newsletter template settings, CMS previews with version history, image uploads, and even within Google Analytics configuration. Cross-Site Request Forgery (CSRF) issues have been patched in regards to customer group deletion via the GET requests from the Site Map and escalated privilege, and CSRF opportunities for mass Block deletion.

The remaining patch items include ensuring that Enterprise Edition corrected several areas where website, store and store group names were unescaped in templates, strengthening the customer wishlist module so that spamming is avoided, and allowing CAPTCHA to be enabled on the “Send to a Friend” feature to prevent bot attacks and maxing out mailer usage.

The 1.x updates also include low-security enhancements, such as older versions of jQuery causing PCI scans to fail and admin panels being accessible outside of a whitelist.

Some of the vulnerabilities below also apply to Magento 2.x, but we will detail those in a separate post.

 

Severity Assessment

This patch requires expedited release. While most of these vulnerabilities require at least limited Admin access, some of the most severe and high risk can be exploited by anonymous users. Those addressed in the patch/upgrade are present on production websites and the public disclosure of these vulnerabilities presents a risk for unpatched/outdated websites. Details for each entry are below.

 

Vulnerability Code Description CVSSv3 Severity Versions Affected
PRODSECBUG-1589 Stops Brute Force Requests via basic RSS authentication 9.0 (Critical) 1.9.3.x, 1.14.3.x
MAG-23 M1 Credit Card Storage Capability 9.0 (Critical) 1.9.3.x, 1.14.3.x
PRODSECBUG-2149 Authenticated RCE using customer import 8.5 (High) 1.9.3.x, 1.14.3.x
PRODSECBUG-2159 API Based RCE Vulnerability 8.5 (High) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-2156 RCE Via Unauthorized Upload 8.5 (High) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-2155 Authenticated RCE using dataflow 8.5 (High) 1.9.3.x, 1.14.3.x
PRODSECBUG-2053 Prevents XSS in Newsletter Template 6.5 (Medium) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-2142 XSS in CMS Preview 6.5 (Medium) 1.9.3.x, 1.14.3.x
PRODSECBUG-1860 Admin Account XSS Attack Cessation via Filename 6.5 (Medium) 1.9.3.x, 1.14.3.x
PRODSECBUG-2119 EE Patch to include names in templates 6.5 (Medium) 1.9.3.x, 1.14.3.x
PRODSECBUG-2129 XSS in Google Analytics Vulnerability 6.5 (Medium) 1.9.3.x, 1.14.3.x
PRODSECBUG-2019 Merchant Wishlist Security Strengthening 5.3 (Medium) 1.9.3.x, 1.14.3.x
PRODSECBUG-2104 Send to a Friend Vulnerability 5.3 (Medium) 1.9.3.x, 1.14.3.x
PRODSECBUG-2125 CSRF on deletion of Blocks Vulnerability 4.2 (Medium) 1.9.3.x, 1.14.3.x
PRODSECBUG-2088 CSRF Vulnerability related to Customer Group Deletion 4.2 (Medium) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-2140 CSRF on deletion of Site Map 4.2 (Medium) 1.9.3.x, 1.14.3.x
PRODSECBUG-2108 Outdated jQuery causing PCI scanning failures 0.0 (None) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
MAG-12, MAG-2 Encryption Keys Stored in Plain Text 0.0 (None) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-2141 Unauthorized Admin Panel Bypass 0.0 (None) 1.9.3.x, 1.14.3.x

 

Affected Versions

All websites running Magento 1.9.3.x versions below 1.9.4.0, and all websites running Magento 1.14.3.x versions below 1.14.4.0 are affected.

 

Known Issues

The Magento community has identified a few issues with the latest 1.x patch. They are as follows:

  • When secret keys are enabled, customer groups will no longer be able to be deleted from the admin panel, as a return is missing for the new Mage_Adminhtml_Block_Customer_Group_Edit::getDeleteUrl() method.
  • Disabling the Magento_Sendfriend module will now result in an exception if you do not disable the Magento_Captcha module first.
  • Template changes for the new Magento_Sendfriend CAPTCHA abilities were made only in the rwd/default theme package, and not in the base/default theme package. If your theme depends on base/default or you are using base/default then CAPTCHA will not be available without modification to these files.

 

Related Links

Release Notes: MOS1.9.4.0, MC1.14.4.0

Security Update: SUPEE-10975

Known Issues: Magento SX Thread