CVE-2020-15244 : Exploit Details and Defense Strategies

In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.

Understanding CVE-2020-15244

This CVE involves a Remote Code Execution (RCE) vulnerability in Magento.

What is CVE-2020-15244?

CVE-2020-15244 is a security vulnerability in Magento that allows an admin user to exploit soap credentials to execute remote code through PHP Object Injection.

The Impact of CVE-2020-15244

The vulnerability has a CVSS base score of 8 (High severity) with significant impacts on confidentiality, integrity, and availability of the affected systems.

Technical Details of CVE-2020-15244

This section provides detailed technical information about the CVE.

Vulnerability Description

The vulnerability allows an admin user to trigger RCE by exploiting soap credentials through PHP Object Injection in Magento versions prior to 19.4.8 and 20.0.4.

Affected Systems and Versions

Product: Magento LTS
Vendor: OpenMage
Versions Affected: < 19.4.8, >= 20.0.0, < 20.0.4

Exploitation Mechanism

The RCE is triggered through product attributes and a product, enabling unauthorized execution of arbitrary code.

Mitigation and Prevention

Protect your systems from CVE-2020-15244 with the following measures.

Immediate Steps to Take

Update Magento to versions 19.4.8 or 20.0.4, which contain patches for the vulnerability.
Monitor and restrict admin user activities to prevent unauthorized access.

Long-Term Security Practices

Implement secure coding practices to prevent PHP Object Injection vulnerabilities.
Regularly audit and review user permissions and access controls.

Patching and Updates

Stay informed about security advisories and promptly apply patches released by Magento.