Spotify’s Backstage has been identified as vulnerable to a significant security flaw that could allow remote code execution through the exploitation of a recently disclosed bug in a third-party module. This vulnerability has been assigned a CVSS score of 9.8, indicating a critical risk level. At the core of the issue lies a dangerous sandbox escape in vm2, a well-known JavaScript sandbox library, referred to as CVE-2022-36067, which emerged last month.
According to application security firm Oxeye, the vulnerability permits an unauthenticated threat actor to execute arbitrary system commands within a Backstage application by leveraging a vm2 sandbox escape found in the Scaffolder core plugin. This serious breach underscores the potential for significant consequences if exploited by malicious actors.
Backstage, a widely used open-source developer portal by Spotify, facilitates the creation, management, and exploration of software components through a unified interface. Notable companies such as Netflix, DoorDash, Roku, and Expedia utilize this platform, which adds a layer of urgency to addressing these vulnerabilities. Oxeye reported discovering over 500 publicly exposed Backstage instances that could be remotely compromised without any authentication requirement.
The vulnerability stems from a configuration in Backstage’s software templates, which are utilized to create various components within the platform. Although the template engine employs vm2 to mitigate risks associated with executing untrusted code, the recent sandbox escape flaw negates these safety measures, allowing for unauthorized command executions beyond the intended security perimeter.
In a technical analysis, Oxeye highlighted that once an attacker gains JavaScript execution rights within the template system, the potential for abuse escalates drastically. It is crucial for developers and organizations using Backstage to recognize the implications of this flaw and enhance their security frameworks accordingly.
Following responsible disclosure practices on August 18, project maintainers acted swiftly and released a fix in version 1.5.1 on August 29, 2022, addressing the vulnerability. However, the nature of such vulnerabilities merits continuous scrutiny and proactive defense mechanisms in the growing landscape of cybersecurity threats.
The MITRE ATT&CK framework provides vital insights into the tactics and techniques that may have been employed by adversaries attacking Backstage instances. Techniques such as initial access through exploitation of public-facing applications, privilege escalation via the execution of malicious scripts, and persistence through the modification of legitimate software all fall within the scope of potential adversary behavior in this context.
As such, it becomes imperative for business owners utilizing platforms like Backstage to implement robust security best practices, not only responding to known vulnerabilities but also staying abreast of emerging threats in the cybersecurity landscape. Clear separation of logic and presentation in coding practices, for instance, can significantly reduce the exposure to template-based attacks, helping to safeguard organizational assets and data.