-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-023
Product: Magento Extension Adyen Payment
Vendor: Adyen
Affected Version(s): 2.5.4 and below
Tested Version(s): 2.2.2
Vulnerability Type: Cryptographic Issues (CWE-310)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2015-04-16
Solution Date: 2016-04-21
Public Disclosure: 2016-05-02
CVE Reference: Not assigned
Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:
The Magento Extension integrates the payment service provided by Adyen
into the checkout process of the Magento Shop system.

The API which is used by this extension suffers from cryptographic
weaknesses which can be exploited to skip the payment step during
checkout.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Adyen HPP API[1] suffers from cryptographic weaknesses which allow
an attacker to use a signature which is generated on the user controlled
delivery or billing address for authorization of a payment.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade to Magento Plugin Adyen Payment 2.6.0 or newer

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-04-09: Vulnerability discovered
2015-04-16: Basic Vulnerability reported to vendor
2015-04-28: Basic Vulnerability confirmed by vendor
2015-05-11: Vulnerability of Magento Plugin reported to vendor
2016-04-21: Release of fixed version
2016-05-02: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Adyen, Magento Extension Adyen Payment
    http://www.magentocommerce.com/magento-connect/adyen-payment.html
[2] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:


Security vulnerability found by Franz G. Jahn of the SySS GmbH.
E-Mail: franz.jahn@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc
Key ID: 0xD06A14DE
Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXH4ZUAAoJENWmFJbQahTeCRkP/3HUjgRnmex4F6Snn8nrt6TO
eh28T1VnNgZpmi8yY1XLAqJkZiwyuxge2CO7CZuAzSvWIuE1htt/mkQpi8rduPvA
vY45bEc+yI99HZLTvz/t+yqbDKCHo/zpZtthdOGZfzwx/EPU69r24gmnSbCg4Rml
h6uR5UPSxbPXY5zOunSfiHzQ+2Tw+dpwd8PNEieIIlNaH1R5Om1/0bg5sQNGl++S
vqYq67a2iCF28bY6bSwILrXS4XXOeqGdFN9I3n16+K2SuFrptTuDj7lk7aFxI8/b
OXgwPF7IC3IUCxl7F6+MwIqmZcfdY5oRikGMReg9lkO5decOJVckTse0mrQKM4e4
Qfz5RfDJehQoE3e/TadPgikP582PSu4pTWNTjerYSVNpEJmfzSdFumRDOm3tb//T
ztxLXQliFhU3RfElywKZbK9hjU/yKtxkJ+tvt8ySOmdo5xRuCRmLjHODtt5Hu50X
uC+Dg5XZbYaaGAtQ8fLiKRqCo3A8PxuQ5YxrGmmq3mtc2C4wBvMs2YTdoSEKie+J
SssFVHCt67DOU6tL+I2LoFYzp9i2sDPrHDSPaIIp+SB4k4bQufgnvDK+lpKYG601
fwKnkr0pXqJKncwxt8iaKyUDEBfaHXxVOsKbFffozJdoF30q0N0LkqNPSGP2EWT9
Tvn2wW5FOhGgvhm3eWXv
=TNHW
-----END PGP SIGNATURE-----