One of Spotify’s biggest projects had a rather critical security flaw
>
Backstage, Spotify’s open platform project for building developer portals, contained a very serious vulnerability that could allow potential threat actors to remotely execute unauthenticated code in the project. The flaw was discovered by cloud-native application security providers Oxeye and was subsequently patched by Spotify.
Users are urged to update Backstage to version 1.5.1, which resolves the issue.
Explaining how they discovered the vulnerability, Oxeye’s researchers said they exploited a VM sandbox escape via the third-party library in vm2, which resulted in the ability to execute unauthenticated remote code.
Template-based attacks
“By using a vm2 sandbox escape in the Scaffolder core plugin, which is used by default, unauthenticated threat actors have the ability to execute arbitrary system commands on a Backstage application,” said Yuval Ostrovsky, Software Engineer. Architect for Oxeye. “Critical cloud-native application vulnerabilities such as these are becoming increasingly ubiquitous and it is critical that these issues are addressed without delay.”
“What caught our attention in this case was backstage software templates and the potential for template-based attacks,” said Daniel Abeles, chief research officer at Oxeye. to execute shell commands using user-controlled templates with Nunjucks outside of an isolated environment.”
Backstage’s goal is to streamline the development environment by unifying all infrastructure tooling, services, and documentation. According to Oxeye, it has over 19,000 stars on GitHub, making it one of the most popular open-source portal building platforms for developers. Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, and Palo Alto Networks are just a few of the companies using Backstage.
To further explain the problem and possible solutions, the researchers said that the root of a template-based VM escape was able to obtain JavaScript execution rights within the template. Logic-less template engines like Mustache prevent the introduction of server-side template injection, eliminating the problem, it explained.
“If you use a template engine in an application, make sure you choose the right one with regard to security. Robust template engines are extremely useful, but can pose a risk to the organization,” said Gal Goldshtein, Senior Security Researcher at Oxeye. “If you are using Backstage, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible.”