One of the biggest projects of Spotify had a critical security flaw as backstage allowed for the execution of remote code.
One of the Biggest Projects of Spotify Had A Critical Security Flaw
Spotify’s open platform project for building developer portals, Backstage was conveying a high-severity vulnerability that allowed for potential threat actors and hackers to execute unauthenticated code in the project remotely. The flaw was spotted and discovered by cloud-native application security providers Oxeye, and it was and has been subsequently patched by Spotify.
Users of the platform are however advised to update Backstage to version 1.5.1 which fixes the problem.
Oxeye’s researchers when explaining just how they discovered the vulnerability said that they exploited a VM sandbox escape via the third-party library in vm2 and in the process resulted in the ability to conduct or carry out unauthenticated remote code execution.
What a Software Architect for Oxeye Has To Say About the Development
“By exploiting a vm2 sandbox escape in the Scaffolder core plugin, which is used by default, unauthenticated threat actors have the ability to execute arbitrary system commands on a Backstage application,” software Architect for Oxeye, Yuval Ostrovsky said. “Critical cloud-native application vulnerabilities like this one are becoming more pervasive and it is critical these issues are addressed without delay.”
“What caught our attention, in this case, were Backstage software templates and the potential for template-based attacks,” the head of research at Oxeye, Daniel Abeles said. “In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment.”
The Goal of Backstage Is To Streamline Development Environment
The main goal of Backstage is to streamline the development environment simply by unifying all infrastructure tooling, services, and documentation. And according to Oxeye, it has over 19,000 stars on GitHub thus making it one of the well-known open-source platforms for building developer portals. Spotify, Netflix, American Airlines, Epic Games, Splunk, Fidelity Investments, and Palo Alto Networks are some of the companies that are making use of Backstage.
The researchers when explaining the problem and potential solutions to it said that the root of a template-based VM escapes as able to gain JavaScript execution rights within the template, logic-less template engines line Mustache stops the introduction of server-side template injection and in the process eliminating the problem as it was explained.
Senior Security Researcher at Oxeye’s Response to the Development
“If using a template engine in an application, make sure to choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to the organization,” Senior Security Researcher at Oxeye, Gal Goldshtein said. “If using Backstage, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible.”
