Experts found critical RCE in Spotify’s BackstageSecurity Affairs

Experts found critical RCE in Spotify’s BackstageSecurity Affairs

Researchers discovered a critical vulnerability affecting Spotify’s Backstage Software Catalog and Developer Platform.

Researchers from security firm Oxeye discovered a critical remote code execution in Spotify’s Backstage (CVSS score of 9.8). Backstage is Spotify’s open source platform for building developer portals, it is used by a number of organizations including American Airlines, Netflix, Splunk, Fidelity Investments and Epic Games.

The issue can be exploited by triggering a recently disclosed VM sandbox escape vulnerability (CVE-2022-36067 aka Sandbreak) in the vm2 third-party library.

Oxeye researchers reported this RCE vulnerability via Spotify’s bug bounty program, and the Backstage development team quickly fixed it with the release of version 1.5.1.

“An unauthenticated threat actor could execute arbitrary system commands on a Backstage application by exploiting a vm2 sandbox escape in the Scaffolder core plugin.” reads the message published by Oxeye.

The vulnerability resides in the software template tools that allow developers to create components in Backstage.

The researchers explained that the template engine uses the vm2 library to prevent the execution of untrusted code.

“In reviewing how to mitigate this risk, we noticed that the template engine could be manipulated to run shell commands using user-controlled templates with Nunjucks outside of an isolated environment. As a result, Backstage began using the vm2 JavaScript sandbox library to mitigate this the risk.” continues the advice. “In a previous research paper, Oxeye found a vm2-sandbox-escape vulnerability that results in remote code execution (RCE) on the host machine.”

The researchers run a simple query for the Backstage favicon hash in Shodan and discovered more than 500 Backstage instances exposed to the internet.

Spotify Backstage

The experts noted that Backstage is deployed by default without an authentication mechanism or an authorization mechanism, which allows guest access. Some of the publicly exposed Backstage instances required no authentication.

See also  Gill gets the nod over Kishan as India count down to a home WC |

Further testing allowed the experts to determine that the vulnerability could be exploited without authentication in many cases.

“The root of any template-based VM escape is to get JavaScript execution rights in the template. By using “logic-less” templating engines like Mustache, you can avoid introducing server-side malinjection vulnerabilities. Separating the logic from the presentation as much as possible can greatly reduce your exposure to the most dangerous template-based attacks.” concludes the report. “For more information on mitigating template-based vulnerabilities, see PortSwigger’s technical advice. And if you use Backstage with authentication, enable it for both front and backend.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(Security matters hacking, Spotify’s Backstage)

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *