Check if your Magento site is safe from CosmicSting (CVE-2024-34102)

I’ve been sat on this post and POC for CosmicSting (CVE-2024-34102) for a little while, giving time for stores to patch the vulnerability. Chances are, if you still have not applied the patch your store will have been probed and compromised by now since there are a handful of POCs out in the wild.

So I highly encourage you to make sure the patch is applied (its simple, a single file diff). And to download and run a malware scanner such as Ecomscan by SanSec (its free, although wont tell you the location of the infections). Since this allowed attackers to exfil any files on the server that the user running PHP had permissions for. It is highly advised you rotate your application key in app/etc/env.php as this will allow attackers to create new API tokens even after the patch is applied.

Now, onto check if your store is vulnerable. Over on Github at SamJUK/cosmicsting-validator I’ve released the POC we’ve used alongside a bash script to easily check across all the domains you host. We caught a few instances that we missed (public available demo stores & development sites) after piping in our exported DNS records.

Alongside the above, I’ve also released a validator over at https://cosmicsting.samdjames.uk/

How do I patch CosmicSting (CVE-2024-34102)

That is fairly simple, and can be accomplished by applying the following diff. You can even apply this patch directly on the server via the patch tool by running patch -p1 < /the/path/to/the/patch.diff. Although typically we would apply this with the cweagans/composer-patches.

diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
index cd7960409e1..df31058ff32 100644
--- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php
+++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
@@ -278,6 +278,12 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface, ResetAf
         // convert to string directly to avoid situations when $className is object
         // which implements __toString method like \ReflectionObject
         $className = (string) $className;
+        if (is_subclass_of($className, \SimpleXMLElement::class)
+            || is_subclass_of($className, \DOMElement::class)) {
+            throw new SerializationException(
+                new Phrase('Invalid data type')
+            );
+        }
         $class = new ClassReflection($className);
         if (is_subclass_of($className, self::EXTENSION_ATTRIBUTES_TYPE)) {
             $className = substr($className, 0, -strlen('Interface'));