Backstage, Spotify’s open platform project for building developer portals was carrying a high-severity vulnerability that allowed potential threat actors to remotely execute unauthenticated code in the project. The flaw was discovered by cloud-native application security providers Oxeye, and was subsequently patched by Spotify.
Users are urged to update Backstage to version 1.5.1, which fixes the issue.
Explaining how they discovered the vulnerability, Oxeye’s researchers said they exploited a VM sandbox escape through the third-party library in vm2, resulting in the ability to conduct unauthenticated remote code execution.
Template-based attacks
“By exploiting a vm2 sandbox escape in the Scaffolder core plugin, which is used by default, unauthenticated threat actors have the ability to execute arbitrary system commands on a Backstage application,” said Yuval Ostrovsky, Software Architect for Oxeye. “Critical cloud-native application vulnerabilities like this one are becoming more pervasive and it is critical these issues are addressed without delay.”
“What caught our attention in this case were Backstage software templates and the potential for template-based attacks,” said Daniel Abeles, Head of Research at Oxeye. “In reviewing how to confine this risk, we noticed that the templating engine could be manipulated to run shell commands by using user-controlled templates with Nunjucks outside of an isolated environment.”
Backstage’s goal is to streamline development environment by unifying all infrastructure tooling, services, and documentation. According to Oxeye, it has more than 19,000 stars on GitHub, making it one of the most popular open-source platforms for building developer portals. Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, and Palo Alto Networks, are just some of the companies using Backstage.
Further explaining the problem and potential remedies, the researchers said the root of a template-based VM escape was able to gain JavaScript execution rights within the template. Logic-less template engines such as Mustache prevent the introduction of server-side template injection, thus eliminating the issue, it was explained.
“If using a template engine in an application, make sure to choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to the organization,” said Gal Goldshtein, Senior Security Researcher at Oxeye. “If using Backstage, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible.”