The eCommerce world is facing a new and dangerous threat—Magento 2 Cosmic Sting, a critical vulnerability impacting Magento and Adobe Commerce stores worldwide. This flaw, which has already affected 75% of Magento websites, is potentially devastating, allowing attackers to gain unauthorized access to sensitive customer data, install malware, and disrupt online operations.
At Scommerce Mage, we’ve already taken proactive measures to protect our clients from this vulnerability, but it’s crucial that Magento store owners everywhere understand the threat and implement a fix immediately.
How Does the Cosmic Sting Vulnerability Work?
The Magento 2 Cosmic Sting exploit takes advantage of flaws in the way Magento handles encryption. Specifically, attackers are able to obtain the Magento encryption key, a critical piece of data used to secure sensitive information in your store. With access to this key, attackers can:
- Access and manipulate your store’s APIs: This allows them to modify key components of your site. For example, they can inject malicious scripts into any block on your site, including checkout pages, product pages, or user login areas, compromising the security of customer data.
- Decrypt sensitive information: If attackers can access your encryption key, they can potentially decrypt sensitive data stored within the database, including customer information, payment data, and other confidential information.
- Execute arbitrary code: With full access, attackers can execute arbitrary code on your server, leading to a complete compromise of your store’s security.
This vulnerability affects a wide range of Magento and Adobe Commerce installations, and immediate action is needed to prevent exploitation.
Who Is At Risk?
According to research, 75% of Magento and Adobe Commerce stores are vulnerable to Cosmic Sting. Whether your store is running Magento 2 or Adobe Commerce Cloud, it’s highly likely that this flaw could affect you if action isn’t taken immediately.
The vulnerability has already been observed in widespread attacks, with major online stores reporting incidents of data theft, transaction fraud, and service disruptions. If your store is handling sensitive payment information, you are a prime target for these cybercriminals.
Why is the Magento Encryption Key So Important?
The Magento encryption key is a critical part of your store’s security architecture. Magento uses this key to encrypt sensitive data, such as customer details, order information, and stored payment methods. It also secures API connections between your store and third-party services, ensuring that data transfers are safe from interception.
If an attacker gains access to this key, they effectively have the “master key” to your store’s most sensitive data and can manipulate your site’s functionality. In the case of Magento 2 Cosmic Sting, attackers can use the key to:
- Inject malicious scripts into your site: They can update HTML blocks with harmful code, such as Magecart-style skimmers, which steal payment data directly from checkout pages.
- Modify APIs and steal data: Attackers can access your APIs and siphon off sensitive data, including customer information, order details, and even payment data.
Steps to Fix the Cosmic Sting Vulnerability
Protecting your Magento store from the Cosmic Sting vulnerability requires taking the following steps:
1. Update Magento to the Latest Version
Adobe has released a critical security patch to address CVE-2024-34102, the vulnerability exploited by Cosmic Sting. The patch is part of the security update APSB24-40, which includes fixes specifically targeting the flaw related to the encryption key.
To protect your store, you should:
- Upgrade to the latest version of Magento: This ensures that all known vulnerabilities are patched and latest security updates are installed. This vulnerability has been patched in Magento 2.4.7-p3 However, after upgrading to the latest version step 3 is still recommended to secure the store i.e to rotate the encryption key.
2. Install the Security Patch for CVE-2024-34102
If you are unable to immediately upgrade Magento to the latest version, Adobe has issued a standalone patch for the Cosmic Sting vulnerability. This patch focuses specifically on fixing the flaw that allows attackers to gain access to the encryption key.
- Download and apply the patch: The patch is available here. Follow the instructions carefully or work with an experienced Magento developer to ensure it is installed correctly.
3. Rotate Your Magento Encryption Key
Once you’ve applied the security patch, the most crucial step is rotating your Magento encryption key. This step is necessary because, if your encryption key has already been compromised, simply applying the patch won’t be enough. Rotating the key will invalidate any access attackers may have gained using the old key. Here’s how to properly rotate your Magento encryption key:
Why Rotating the Magento Encryption Key is Critical?
Rotating your encryption key ensures that any attacker who may have obtained your old key can no longer use it to access your store’s sensitive data or manipulate API functions. This is a crucial step in fully securing your store after applying the patch. When you rotate the encryption key, Magento generates a new key and re-encrypts all sensitive data using this new key.
Steps to Rotate Your Magento Encryption Key
- Backup Your Data: Before rotating the encryption key, create a full backup of your Magento store, including the database and all files. This ensures that you can recover your store if anything goes wrong during the key rotation process.
- Navigate to the Encryption Key Settings:
- In your Magento Admin Panel, log in and navigate to Stores > Configuration > Advanced > System.
- Scroll down to the Encryption Key section.
- Generate a New Encryption Key:
- Click on Change Encryption Key.
- You can either let Magento generate a new encryption key automatically or manually input your own key. We recommend letting Magento generate the key to ensure it meets security standards.
- Save the New Key: Once the new encryption key is generated, save it in a secure location. Magento will not store the encryption key itself, and you will need it to restore your site in the future if needed.
- Re-encrypt Data: Magento will automatically re-encrypt sensitive data using the new encryption key. This may take some time, depending on the size of your database. Monitor the process to ensure it completes successfully.
- You can check the env.php file, the new key should be added with the old key comma separated:-
<?php
return array (
'backend' =>
array (
'frontName' => 'admin',
),
'crypt' =>
array (
'key' => '9af38453afda96c7862c7d10eb493ba4
base64234565980749385ioufisdufsdjl='
),
'session' =>
array (
'save' => 'files',
),
'db' =>
array (
'table_prefix' => '',
.....
Important: You can change the encryption key via command line as well however in this case the data doesn’t get re-encrypted automatically hence, it is recommended to generate new encryption key via Magento admin.
bin/magento encryption:key:change
Once this process is complete, the attackers will no longer have access to your store’s encrypted data or APIs, even if they previously obtained the encryption key through the Cosmic Sting exploit.
Test Your Store After Patching Magento 2 for the Cosmic Sting Vulnerability
After applying the patches for the Cosmic Sting vulnerability and rotating your Magento 2 encryption key, thorough testing is crucial to ensure the stability and functionality of your online store. While checking core Magento features is essential, don’t overlook the potential impact on integrated systems. A comprehensive testing strategy should include the following:
Core Magento Functionality:
- Checkout Process: Thoroughly test the entire checkout flow, from adding products to the cart to completing the order. Verify different payment methods, shipping options, and coupon usage. Ensure order confirmation emails are sent correctly and contain accurate information.
- Customer Accounts: Test customer registration, login, password reset, account information updates, order history, and wishlist functionality.
- Admin Panel: Verify access to all admin sections and functionalities. Ensure proper functioning of order management, product management, customer management, and reporting features.
- API Integrations: Test all API endpoints, paying close attention to data integrity and security. Verify both REST and SOAP APIs.
Third-Party Integrations:
This is a critical aspect often overlooked. Cosmic Sting and the subsequent key rotation can significantly impact how your store interacts with external systems.
- Payment Methods: Test all active payment gateways (e.g., PayPal, Stripe, Klarna, Braintree, Authorize.net). Verify successful transaction processing, refunds, and voiding transactions. Check for any error messages or discrepancies in payment information.
- ERP Systems: Ensure seamless data synchronization between Magento and your ERP system. Verify order data, inventory levels, customer information, and product data are accurately exchanged. Test both inbound and outbound data flows.
- CRM Systems: Check the synchronization of customer data, including contact information, order history, and loyalty program data. Ensure proper segmentation and personalized marketing functionalities are working as expected.
- POS Systems: If you utilize a POS system integrated with Magento, test order placement, inventory updates, and customer data synchronization. Verify real-time data exchange and consistency between online and offline sales channels.
- Shipping Integrations: Test integrations with shipping providers (e.g., FedEx, UPS, USPS). Verify accurate calculation of shipping rates, generation of shipping labels, and tracking information updates. Ensure seamless order fulfillment processes.
- Marketing Automation Platforms: Test integrations with email marketing platforms, marketing automation tools, and analytics platforms. Verify data tracking, campaign execution, and reporting accuracy.
- Other Extensions and Customizations: Test all installed extensions and custom modules. Pay attention to any functionalities that interact with sensitive data or rely on encryption.
Security Scan:
- After applying the patch and completing all tests, conduct a thorough security scan using a reputable vulnerability scanner to ensure no new vulnerabilities have been introduced and that the Cosmic Sting vulnerability has been successfully mitigated.
By meticulously testing these areas, you can confidently ensure your Magento 2 store is fully functional, secure, and performing optimally after addressing the Cosmic Sting vulnerability. Remember that thorough testing is a critical step in maintaining the integrity and security of your online business.
Why You Need to Act Now
The Cosmic Sting vulnerability is already being actively exploited by cybercriminals. If your Magento store is vulnerable, the consequences of inaction could be catastrophic. Data breaches, financial losses, downtime, and damage to your reputation are all very real risks.
By acting quickly, you can prevent attackers from exploiting this flaw and protect the integrity of your eCommerce business. We understand the urgency of the situation and are ready to help you secure your store without delay.
Additional Security Measures to Protect Your Magento Store
While applying the patch and rotating your encryption key are critical steps, they should be part of a broader security strategy to protect your Magento store. Here are additional measures you can take to enhance your store’s security:
1. Enable Two-Factor Authentication (2FA)
Enable Two-Factor Authentication for all admin users to add an extra layer of security. This helps protect against unauthorized access, even if an attacker manages to steal admin credentials.
2. Use a Web Application Firewall (WAF)
A Web Application Firewall can help block malicious traffic before it reaches your Magento store. It can also help protect against SQL injection, cross-site scripting (XSS), and other common attacks that could exploit vulnerabilities in your store.
3. Regularly Monitor Your Store for Suspicious Activity
Implement a real-time monitoring system to detect unusual behavior, such as unauthorized changes to code, unexpected API calls, or abnormal traffic spikes. Tools like Magento Security Scan or third-party services can provide continuous monitoring.
4. Review API Permissions
Ensure that your APIs are properly configured and secured. Restrict access to sensitive APIs and regularly review permissions to ensure that no unnecessary privileges are granted to users or third-party services.
5. Keep Magento and Extensions Up to Date
Always keep your Magento installation and any third-party extensions up to date with the latest security patches. Many vulnerabilities, including Cosmic Sting, can be mitigated by simply staying on top of updates and patches.
How Scommerce Mage Can Help?
At Scommerce Mage, we take the security of our clients’ Magento stores seriously. The Magento 2 Cosmic Sting vulnerability is a critical issue that requires immediate attention. We are here to help with every step of the process. Here’s how we can assist:
- Vulnerability Assessment: We can quickly assess whether your store is vulnerable to Cosmic Sting and other security threats.
- Patch Installation: Our team will apply the latest security patches, including the one for CVE-2024-34102, to ensure your store is protected.
- Encryption Key Rotation: We’ll handle the encryption key rotation process to ensure it’s done correctly and without disruption to your operations.
- Ongoing Security Monitoring: We offer various extensions for continuous security monitoring services to detect and prevent future attacks.
- Custom Security Solutions: From 2FA to firewall configuration, we can implement additional security measures tailored
You can check our Security Patch Installation Service where we will take care of everything for you:-