An unauthenticated RCE Vulnerability was discovered in Spotify's Backstage project. The vulnerability (CVSS score: 9.8) exploits a critical sandbox leak in vm2, a JavaScript sandbox library (Sandbreak) that was released in recent months.
What is Backstage Platform?
Backstage is an open source platform for building developer portals. It is also widely used by Spotify, American Ailrlenes, Netflix, Splunk…. It combines all infrastructure tools, services and documentation to create an end-to-end streamlined development environment.
About Vulnerability:
"An unauthenticated threat actor can execute arbitrary system commands in a Backstage application by exploiting a vm2 sandbox output in the Scaffolder core plugin," said the Oxeye (Application Security Firm) team. Shared:
Today, @OxeyeSecurity announced its research team found a critical remote code execution #vulnerability in @Spotify’s Backstage #software catalog and developer platform. Learn more below about the vulnerabilities and the potential impact below. https://t.co/zcIr3dNz2r
— Intel Capital (@intelcapital) November 15, 2022
According to Oxeye, the vulnerability is due to a tool called Backstage's software templates.
Oxeye developed a code block to run code by attacking the Scaffolder plugin and tested it on a local distribution.
The malicious code was injected into a modified function of that plugin's rendering engine, run in the context of a virtual machine, and triggered by a bug calling an undefined function.
The payload creates a CallSite object outside of the sandbox, allowing the attacker to execute arbitrary commands on the host system. You can go to the attack diagram available in the link.
Currently, the number of instances running Backstage versions prior to 1.5.1 is unknown.
As a result of this vulnerability, security administrators are advised to upgrade to the latest version of Backstage.
Source:
Oxeye (@OxeyeSecurity) / Twitter
