Backstage is an open platform for building developer portals, created by Spotify and released to the public. Researchers at Oxeye recently disclosed a vulnerability in the popular JavaScript sandbox library “vm2”, a library that is used by Backstage, rendering Backstage instances vulnerable to Remote Code Execution (RCE) attacks. Spotify was alerted to the vulnerability in their Backstage platform, and promptly released an update (v 1.5.1) released on August 29, 2022 only a day after the vm2 update (v 3.9.11) was released.
The Oxeye team has also released a working exploit that successfully abuses the Scaffolder plugin in Backstage, which uses the vm2 JavaScript library. Scaffolder, when injected with the malicious code, creates a CallSite object outside the sandbox that allows an attacker to execute arbitrary commands on the victim host.
Oxeye noted in their research that they discovered 546 publicly exposed Backstage instances on Shodan that could be exploited in this way. Of those 546 instances, Oxeye found that a handful of these instances didn’t even require authentication in order to use the exposed Backstage API.
Analyst Notes
Bleeping Computer reporter Bill Toulas notes that “While this number isn’t large, Backstage is used by many large firms, including Spotify, Netflix, Epic Games, Jaguar/Land Rover, Mercedes Benz, American Airlines, Splunk, TUI, Oriflame, Twilio, SoundCloud, HBO Max, HP Inc, Siemens, VMware, and IKEA”.
It is highly recommended that systems administrators update Backstage to the latest version, version 1.7.2. It is also recommended to use logic-less template engines whenever possible, as they don’t introduce the opportunity for server-side injection. Administrators should also ensure that authentication is enforced for Backstage instances, and access to the instances are restricted at the network level where possible.
https://www.bleepingcomputer.com/news/security/researchers-release-exploit-details-for-backstage-pre-auth-rce-bug/
