On April 28th 2020, Adobe released what could very well be the last security patch for Magento 1 as the platform approaches retirement this summer. SUPEE-11314 included a number of security updates, however this patch also brought a serious security vulnerability to the party. If you have applied this patch to your client sites, but have yet to apply version 2 (released two weeks later on May 12th 2020) then I strongly suggest you stop reading and head over to https://magento.com/tech-resources/download, roll back SUPEE-11314 and apply version 2 ASAP.
SUPEE-11314 includes an upgrade to the password hash, carried out behind the scenes when you log in to your Magento admin. On a successful login, your password is rehashed and updated in the admin_users database table. You may have noticed you had to log in to your admin twice after applying the patch, but apart from that, the password update is pretty inconspicuous.
A few days after applying SUPEE-11314, I noticed a number of strange looking entries in my admin_users table. I found an issue and posted a fix on the Magento Stack Exchange. The potential of this issue went over my head until it was pointed out by another Stack Exchange user Russ Wilde – the password will be updated even if a login attempt was unsuccessful. To put that another way, someone could change an admin password by simply attempting to log in with a valid username.
All an attacker would need to know is the admin URL and a valid admin username to carry out the exploit. I was able to test this following 2 simple steps:
1. Attempt to log in to the Magento admin using a valid username and bogus password, eg, password123. Entry will be denied, however…
2. Log in using the same username and the same bogus password, password123.
While the first attempt failed, the password was updated in the process, allowing me to successfully login on my second attempt.
The window of opportunity for this exploit is quite narrow. Along with the admin URL and a valid username, an attacker will only be able carry out the attack after SUPEE-11314 has been applied and before an admin user legitimately logs in. That said, many sites have dormant unused admin accounts which make ideal targets for this exploit.
If you upgraded to the latest version of Magento instead of running the patch then you have nothing to worry about, this vulnerability is not present in 18.104.22.168.
How can I tell if I have been compromised?
If you are unable to log in to your Magento admin is is possible that your account has been compromised as a result of this vulnerability. A password reset will get you back in but if some someone has gained entry it is likely the damage has been done. I would recommend that you check your admin users, make sure there are no odd looking accounts and change all of your usernames and passwords then speak to a security expert.
It is also possible to spot unsuccessful attacks by examining your admin_user table. I noticed a number failed attempts indicated by random entries in my admin_users table. It turns out one of my sites was actively being targeted by an (unsuccessful) brute force attack. If you notice similar entries in your admin table then I would suggest changing your admin URL as its identification is one of the first pieces of the puzzle for potential attacks.
Adobe / Magento haven’t publicised anything on this issue (other than quietly releasing an updated patch) so I suspect that there might be a number of sites yet to be patched with the latest version. I have contacted Magento about this vulnerability but they have yet to comment on this issue.
Ciaron is a Magento Developer and long term Nimbus Client @ M60 Digital.