A critical unauthenticated remote code execution vulnerability in Spotify’s Backstage project has been found and fixed, and developers are advised to take immediate action in their environments.
What is Backstage?
Having more than 19,000 stars on Github, Backstage is one of the most popular open-source platforms for building developer portals and is in widespread use by Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, Palo Alto Networks and many others.
It unifies all infrastructure tooling, services, and documentation to create a streamlined development environment.
Backstage was accepted to the Cloud Native Computing Foundation (CNCF) on September 8, 2020 and is at the Incubating project maturity level.
About the vulnerability
“By exploiting a vm2 sandbox escape in the Scaffolder core plugin, which is used by default, unauthenticated threat actors have the ability to execute arbitrary system commands on a Backstage application,” said Yuval Ostrovsky, Software Architect for Oxeye. “Critical cloud-native application vulnerabilities like this one are becoming more pervasive and it is critical these issues are addressed without delay.”
Oxeye researchers reported the vulnerability through Spotify’s bug bounty program, and Spotify rapidly patched the vulnerability and released Backstage version 1.5.1, which fixes the issue.
“Every research project we spin up starts with mapping potential inputs to an application. What caught our attention in this case were Backstage software templates and the potential for template-based attacks,” said Daniel Abeles, Head of Research at Oxeye. “In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment.”
“If using a template engine in an application, make sure to choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to the organization,” said Gal Goldshtein, Senior Security Researcher at Oxeye. “If using Backstage, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible.”
More details about the vulnerabilty can be found here.