Remote Code Execution Discovered in Spotify's Backstage

Written by

A vulnerability in Spotify’s open-source, Cloud Native Computing Foundation (CNCF)-incubated project Backstage has been discovered that could lead to threat actors performing remote code execution (RCE).

The findings come from the Oxeye research team, who have managed to exploit a virtual machine (VM) sandbox escape via a third-party library named vm2.

“We reported this RCE vulnerability via Spotify’s bug bounty program, and the Backstage team responded rapidly by patching it in version 1.5.1,” Oxeye wrote in an advisory published earlier today.

Spotify ranked the vulnerability affecting the developer portal building platform as critical, with a CVSS score of 9.8.

“Backstage can hold integration details to many organization systems, such as Prometheus, Jira, ElasticSearch, and others,” the Oxeye advisory reads.

“Thus, successful exploitation has critical implications for any affected organization and can compromise those services and the data they hold.”

Once they had successfully executed the payload locally, Oxeye then attempted to assess the potential impact of such a vulnerability if exploited in the wild.

“We started by running a simple query for the Backstage favicon hash in Shodan; it resulted in more than 500 Backstage instances exposed to the internet. We then tried to assess how they could be exploited remotely without authenticating to the target Backstage instance.”

The security researchers discovered that Backstage was being deployed by default without an authentication mechanism or an authorization mechanism, which allowed guest access.

“Some of the public Backstage servers accessible to the internet did not require any authentication.”

Oxeye then tried to set up a local Backstage instance that requires authentication, following tutorial guidelines originally maintained by the platform.

“We ended up with authentication only enforced on the client side; requests flowing to the backend API were not verified for authentication or for authorization.”

In other words, when trying to send requests directly to the backend API server of some internet-exposed instances, the researchers found that a handful did not require any form of authentication or authorization.

“Thus, we concluded the vulnerability could be exploited without authentication on many instances.”

To mitigate the impact of this vulnerability, Oxeye and Spotify have urged companies and individuals to update to the latest version of Backstage.

“Moreover, if you’re using a template engine in your application, make sure you choose the right one in relation to security,” Oxeye added. “Robust template engines are extremely useful but might pose a risk to your organization.”

The Oxeye advisory comes weeks after CloudSEK discovered several vulnerabilities affecting the Veeam Backup & Replication application.

What’s hot on Infosecurity Magazine?