Behind the scenes, Spotify’s open-source developer portal project contained a high-severity vulnerability that allowed would-be cybercriminals to remotely execute unauthenticated code on the project. The vulnerability was discovered by cloud-native app security vendors Oxeye and was subsequently patched by Spotify.
Users are asked to update Backstage to version 1.5.1 which fixes the issue.
Explaining how they discovered the vulnerability, Oxeye researchers said that they exploited a virtual machine sandbox exit by a third-party library in vm2, which gave the remote execution of unauthenticated code.
Template-based attacks
“By leveraging the vm2 sandbox escape in the core Scaffolder plug-in, which is used by default, unauthenticated cybercriminals have the ability to execute arbitrary system commands in the Backstage application,” said Yuval Ostrovsky, software architect at Oxeye. “Critical vulnerabilities in cloud native applications like this are becoming more common and it’s critical that these issues are addressed promptly.”
“In this case, the backstage templates and the potential of template-based attacks caught our attention,” said Daniel Abeles, head of research at Oxeye. “In reviewing how to mitigate this risk, we noticed that the template engine can be manipulated to run shell commands using user-controlled templates from Nunjucks outside of an isolated environment.”
The goal of Backstage is to streamline the development environment by unifying all infrastructure tools, services, and documentation. According to Oxeye, it has over 19,000 stars on GitHub, making it one of the most popular open-source platforms for building developer portals. Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games and Palo Alto Networks are just some of the companies using Backstage.
Further explaining the problem and potential countermeasures, the researchers found that the template-based VM’s escape root was able to gain permission to execute JavaScript in the template. It was clarified that template engines without logic like Mustache prevent server-side templates from entering, thus eliminating the problem.
“If you’re using a template engine in your app, make sure you choose the right one in terms of security. Robust template engines are extremely useful, but they can be a threat to organizations,” said Gal Goldshtein, Senior Security Researcher at Oxeye. “If you are using Backstage, we strongly recommend that you update to the latest version to protect yourself from this vulnerability as soon as possible.”