Magento SUPEE-9652
Magento have release a patch for the APPSEC-1746 – Remote Code Execution using mail vulnerability, while this has been known about for a while and is was easy to mitigate, they have just released a patch for it.
The work around is below:-
A new vulnerability has been found in a Zend Framework 1 and 2 email component. The component is used by all Magento 1 and Magento 2 software and other PHP solutions. This vulnerability is serious and can lead to a remote code execution attack if your server uses Sendmail as a mail transport agent.
To protect your site from this vulnerability, you should immediately check your mail sending settings. Go to the system settings used to control the “Reply to” address for emails sent from your Magento store:
- Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
- Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
If “Set Return-Path” is set to “Yes,” and your server uses Sendmail, then your store is vulnerable to this exploit. Enterprise Cloud Edition customers do not need to worry about this issue. We’ve already checked your configuration and you are not at risk.
While we have not yet observed attacks using this vulnerability, the risk is very high. Until patches are available, we strongly recommend that you turn off the “Set Return-Path” setting (switch to “No”), regardless of the transport agent used. Magento is currently working to provide patches to close this vulnerability and we expect they will be available in the next several weeks.
Patch
SUPEE-9652, Enterprise Edition 1.14.3.2 and Community Edition 1.9.3.2 address the Zend library vulnerability described below.
Information on all the changes in 1.14.3.2 and 1.9.3.2 releases is available in the Enterprise Edition and Community Edition release notes.
Patches and upgrades are available for the following Magento versions:
- Enterprise Edition 1.9.0.0-1.14.3.1: SUPEE-9652 or upgrade to Enterprise Edition 1.14.3.2
- Community Edition 1.5.0.1-1.9.3.1: SUPEE-9652 or upgrade to Community Edition 1.9.3.2
To download a patch or release, choose from the following options:
Partners:
| Enterprise Edition 1.14.3.2 | Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3.2 |
| SUPEE-9652 | Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – February 2017 |
Enterprise Edition Merchants:
| Enterprise Edition 1.14.3.2 | My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3.2 |
| SUPEE-9652 | My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – Februrary 2017 |
Community Edition Merchants:
| Community Edition 1.9.3.2 | Community Edition Download Page > Release Archive Tab |
| SUPEE-9652 | Community Edition Download Page > Release Archive Tab > Magento Community Edition Patches – 1.x Section |