I just opened an issue on GitHub -- to my surprise I couldn't find one concerning this matter.
https://github.com/magento/magento2/issues/21870
I am being told this issue is fixed on the GitHub repositories. I will test and follow up.
The latest Paypal module code from the 2.2-develop branch did NOT work! I still got hit with $0 auths!
Thanks for that info. I will test it shortly.
For those with this issue, I have gone through my access logs and identified 35 IP addresses coming from Amazon Web Services that seem to be behind this exploit. These IPs had roughly 60-70 user sessions open at all times and were entering directly into a cart checkout page. I have blocked these IPs at server level and the user hasn't popped back up in the last couple hours. (correction, I just checked and the hacker is back on new IPs)
34.226.217.189
52.90.105.63
3.86.194.220
54.162.199.5
34.203.31.73
54.242.248.51
3.91.22.229
3.83.122.116
3.86.17.235
3.87.125.27
3.84.1.204
3.86.195.29
18.207.168.178
3.91.105.65
107.22.64.199
54.167.218.195
34.203.189.201
34.235.160.85
18.206.243.7
54.92.169.31
3.81.72.223
54.162.221.69
54.146.245.126
54.158.13.28
54.81.159.253
54.91.208.246
3.80.245.34
3.87.158.162
54.208.28.191
34.228.218.112
54.196.24.167
54.175.76.197
54.204.151.47
54.197.78.24
54.221.70.114
@AndyAJ , do you know if I'm able to just copy the PayFlow files to fix this? (granted the fix works)
Do you know what files I can copy?
I have 3 sites, each running 30 extensions and custom theme, so doing a full upgrade to each of them would take a while and we are currently dead in the water on all our sites and unable to take orders.
Thanks in advance for any insight.
Larry
Hi Larry,
Copying the code from either the 2.2-develop or 2.3-develop branches did not work for me. Another user said the following helped them, which you are welcome to try (but it did not work for me.)
change the conditional on vendor/magento/module-paypal/Controller/Transparent/RequestSecureToken line 85 from
if (!$quote or !$quote instanceof Quote) {
To
if (!$quote or !$quote instanceof Quote or !$quote->getId()) {
For anybody dealing with this issue, I created a gist giving an example fail2ban configuration that blocks any IP address that attempts to exploit this vulnerability by requesting the endpoint more than 10 times in 10 minutes.
https://gist.github.com/digitalengineering/896934dd526302a68c198e1b0333219b
Does anyone know if disabling guest checkout prevents this?
https://support.magento.com/hc/en-us/articles/360025515991
Please update your magentos