CVE-2024-34102 - Critical XXE Vulnerability in Adobe Commerce Exposes Businesses to Code Execution

Adobe Commerce (formerly Magento) is a leader in e-commerce solutions, powering thousands of online stores worldwide. In early June 2024, security researchers uncovered a serious flaw affecting Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. This vulnerability, tracked as CVE-2024-34102, is an Improper Restriction of XML External Entity Reference (XXE) vulnerability. In simple terms, this bug allows attackers to abuse the way Adobe Commerce processes XML files, potentially letting hackers execute their own code on your web server – without any user interaction.

This long read post will break down what this CVE means, demonstrate how it works using code snippets, detail exploitation steps, guide on mitigation, and provide references for further reading.

What Is XXE and Why Does It Matter?

XML External Entity (XXE) is a class of security bugs that occur when software parses XML input without properly restricting external entities. Attackers can craft malicious XML files that, when processed, can:

In the case of CVE-2024-34102 – achieve arbitrary code execution

Such attacks are possible when XML processors are configured to allow external references – opening the door for serious breaches.

Impacted Adobe Commerce Versions

According to Adobe's Security Bulletin:

Adobe Commerce 2.4.4-p8 and earlier

*If you run any of these versions, you are at risk!*

How Does CVE-2024-34102 Work?

Attackers leverage this XXE flaw by sending a specially crafted XML document to the Adobe Commerce application. If the server's XML parsing is improperly configured (the core issue in these vulnerable versions), the parser will process dangerous external entities. This can lead to:

- Reading arbitrary files via file:// URIs

Even executing arbitrary code—in the worst-case scenario

No user clicks or interaction is needed. Just sending the XML is enough.

Example Code: The Heart of the Attack

Below is a typical malicious XML payload targeting XXE vulnerabilities. This example tries to read the server’s /etc/passwd file (classic UNIX example):

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

When Adobe Commerce’s vulnerable XML parser processes this, it will replace &xxe; with the contents of /etc/passwd – sending that sensitive file back to the attacker (for example, in the application’s response, an error message, or a file download).

Towards Code Execution

In advanced scenarios, attackers may combine XXE with other flaws, such as log poisoning or local file inclusion, to achieve remote code execution. For instance, writing to a web root or leveraging PHP wrappers could allow execution of attacker-supplied PHP code.

Step-by-Step Example

Disclaimer: For educational purposes only. Do not attempt on networks or systems you do not own.

Find a Target Endpoint:

In Adobe Commerce, this could be the product import/export, some custom API, or any XML-accepting endpoint.

`bash

curl -X POST https://victim.com/admin/importEndpoint \
-H 'Content-Type: application/xml' \

Steal Sensitive Files:

The response or some exported/downloaded file may now include sensitive server information.

Escalate:

If file read is successful, skilled attackers may target credentials (app/etc/env.php), private keys, or escalate to code execution.

References and Further Reading

- Adobe Security Bulletin APSB24-36
- NIST National Vulnerability Database: CVE-2024-34102
- OWASP XXE Cheat Sheet
- PHP’s XML Vulnerabilities

Upgrade Immediately:

Adobe has released patches. See Adobe’s download page.

Disable External Entities:

If you have custom XML handling, ensure you disable entity loading in your PHP/XML configuration. Example with PHP’s libxml:

In Summary

CVE-2024-34102 is a highly dangerous vulnerability in popular Adobe Commerce versions. It enables attackers to run code on your server, steal data, or compromise your store with nothing more than a crafted XML document – and no user help. This flaw is trivial to exploit with the right endpoint. Merchants and developers should patch immediately!

If you found this helpful, or want to learn more about e-commerce security, follow the references and always keep your software up-to-date.

Timeline

Published on: 06/13/2024 09:15:10 UTC
Last modified on: 07/18/2024 03:55:18 UTC