-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 # Security Advisory ARA-2020-006: Disclosure of Amazon Secret Access Key ## Affected Product(s) and Environment(s) Product: [Amazon Pay](https://store.shopware.com/en/besti53880044858f/amazon-pay-alexa-ready.html) <= 9.4.1 by best it eCommerce solutions, confirmed in Shopware version 5.6.8 Environments: All host environments Additional Plugins: [Bundles of Shopware](https://store.shopware.com/swagbundle/bundle.html), version 7.2.1 ## Security Risk Severity: High CVSS v3: 9.3 ## Impact Confidentiality: High Integrity: High Availability: None ## Exploitability Access Vector: Network Access Complexity: Low Privileges Required: None User Interaction: Required ## Scope Scope: Changed ## Weakness Classification [CWE-200](https://cwe.mitre.org/data/definitions/200.html) ## Remediation Level Sensitive information about the Amazon Pay configuration should be kept secret. This information should not be attached to actions which are not relevant for this plugin. ## Timeline * 2020-09-09: Discovery of vulnerability * 2020-09-14: Vendor notification * 2020-09-25: Vendor reports fix of vulnerability to aramido; fix could be verified * 2020-09-25: Vendor releases new version of the plugin (9.4.2) * 2020-10-29: Vendor asks for rescheduling the public disclosure * 2020-11-04: Preliminary CVE Assignment by MITRE (CVE-2020-28199) * 2021-02-01: Public disclosure of the vulnerability ## Description Summary The configuration of the Amazon Pay plugin can be obtained via certain third party plugins. The leak occurs when the template renderer engine is disabled and instead JSON is returned. Among other data the Amazon Secret Access Key is disclosed. ## Product Introduction The Amazon Pay plugin integrates Amazon Pay with Alexa support in Shopware. Starting with Shopware 5 "Amazon Pay and Login with Amazon" is part of the core. The plugin is for previous versions of Shopware available. ## Technical Description After installing the Amazon Pay plugin in the backend, it can be configured in "Basic settings -> Additional settings -> Amazon Pay and Login with Amazon". Furthermore, a second plugin has to be installed which returns a JSON object. In this example we use the plugin named *Bundles* of Shopware. The *Bundles* plugin offers a page called [https://example.com/widgets/Bundle/isBundleAvailable](https://example.com/widgets/Bundle/isBundleAvailable) that returns some data about shopware components. The returned data contains the configuration of the Amazon Pay plugin. In the file "engine/Shopware/Plugins/Community/Frontend/BestitAmazonPay/src/BestitAmazonPay/Subscriber/General.php" of the Amazon Pay plugin, events for the "Enlight_Controller_Action" are subscribed. Some events call the functions "attachTemplatePostDispatch" and "attachTemplatePreDispatch". In both dispatch routines the function "getConfigTemplateVars" is called. This function returns the configuration of the Amazon Pay plugin via "'SwapConfig' => $config->getConfigArray()". This array also contains all secrets of the Amazon Pay plugin. In combination with a second plugin that deactivates the view renderer and enables a JSON result, the secrets are exposed. For this example we use the *Bundles* plugin of Shopware. In file "custom/plugins/SwagBundle/Controllers/Widgets/Bundle.php" a controller exists which extends from "Enlight_Controller_Action". Therefore, the aforementioned dispatcher routines are automatically called on each call. Function "isBundleAvailableAction" deactivates the renderer: ```php $this->get('front')->Plugins()->ViewRenderer()->setNoRender(); $this->get('front')->Plugins()->Json()->setRenderer(); ``` ### Proof of Concept (PoC) Install the plugin Amazon Pay and *Bundles* via the Shopware store and configure the Amazon Pay plugin via the backend. After the configuration of the plugin you can visit [https://example.com/widgets/Bundle/isBundleAvailable](https://example.com/widgets/Bundle/isBundleAvailable) which returns the configuration with the Amazon Secret Access Key. ## Solution We strongly recommend to avoid appending the configuration with all secrets of the Amazon Pay plugin via an event to all actions. The configuration should only be used internally and if some template is required to receive information of the configuration, it should be explicitly allowed. Upon fix of the finding by the vendor, we suggest to disable the Amazon Pay plugin for the time being. A key rollover of the potentially compromised keys is advised. ## References * [aramido responsible disclosure policy](https://aramido.de/blog/Sicherheitshinweise) * [Bundles of Shopware](https://store.shopware.com/swagbundle/bundle.html) * [Amazon Pay](https://store.shopware.com/en/besti53880044858f/amazon-pay-alexa-ready.html) ## Authors Moritz Kaumanns, aramido GmbH E-mail: moritz.kaumanns () aramido.de PGP-Key: https://aramido.de/moritz.kaumanns.asc PGP-Fingerprint: E0EB 36C3 406A 66A5 6E5E D1C6 C645 3E57 04D4 5028 ### aramido - Information Security Consultancy aramido is a trusted consultancy for information security from Karlsruhe. aramido advises companies and other organizations on information security issues, checks systems, for example, through penetration tests, and helps with security incidents through a rapid incident response. aramido GmbH Amalienstraße 24 76133 Karlsruhe, Germany Management board: Armin Harbrecht, Andreas Sperber Web: [https://aramido.de](https://aramido.de) ## Disclaimer The information provided in this advisory is provided "as is" without any warranty. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the aramido web site. aramido GmbH disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. aramido GmbH or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if aramido GmbH or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. ## Copyright CC-BY-4.0 https://creativecommons.org/licenses/by/4.0/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKyIpLVAQVImVr3V1AqWzORaK2hQFAmAYBjsACgkQAqWzORaK 2hS0JRAAhNy8lDz8l2tHsli92GEAq17GDtFZ1mN6n1Uh+w2UVJwajdjEwTId3m9x 7H31Mdd3uitfhzN4J3wiKkNEXphRk9CakreYocGBjvAJAc4KJVB33CKLsYRcTZiX siyhKepwm/OC5nmgLOeZORIcaKVcc+P9+t1bg8H1qU1h3mLqGwyVWh0NPpXbbsTs OAeveUUNllzVy7tm+u3jSEwOre542HMScxNVrTlWbAB/rbBsNADQSq2FiQ2GD7y1 AE3BMDsq4h7rWBh4940YlfyxwiriDFQ1YJ6PfiYYJm1HTTllZkyYpLbVZViFv2Gu rfJ6AYlr8q5VAi2Z2LAVGBPxBo69JyveMyxoTeO5/MSIBMTcEzomQmsDWxP47fPy CrWrjjprobm0thMq8nLZV63bkMXZ7qMdSJoF8YlrXB2Q5AveVqiHKrO5XbcDU79X nWXJypTJmvqIjORdWWmZjGLm/Eckp323CIrh277lBnQ//7JqTf2BtbsJCXhkqh1A 01otv3LnkdJd6lNrw3Rs19JfllHygI2boWdeWEODp4tihODUzAnqAuWpcAzjyDtG PdaRJdJCONu0ZJSf3v0cWrELOqH+YNCYg24cIgJ96a/dUzP//6VhiAYTe812c+lo 0hwSPYxI0+M9PZh6OYAKJ+6864CyBg5I+qsH94jliD1jLtIIS0I= =SMnz -----END PGP SIGNATURE-----