RCE vulnerability found in Spotify’s Backstage

• The Oxeye research team has been able to execute remote code in Spotify’s open-source, CNCF-incubated project, Backstage.
• The vulnerability, which has a CVSS score of 9.8, can be exploited by VM sandbox escape through the vm2 third-party library.
• Oxeye reported the vulnerability and it was fixed shortly after. Organizations using Backstage are urged to install the latest patch immediately.

The Oxeye research team announced that they could gain remote code execution in Backstage, Spotify‘s open-source CNCF-incubated project. To execute remote code, the team exploited a VM sandbox escape through the vm2 third-party library. The RCE vulnerability has been reported via Spotify’s bug bounty program and patched shortly after in version 1.5.1. The vulnerability can be tracked as CVE-2022-36067 and has a CVSS score of 9.8.

Open-source CNCF-incubated project

The remote code execution vulnerability, which may allow threat actors to execute arbitrary system commands on a Backstage application, can be exploited with a vm2 sandbox escape in the Scaffolder core plugin. Backstage is currently being used by American Airlines, Netflix, Splunk, Fidelity Investments, and Epic Games along with Spotify. Successful exploitation has critical implications for any affected organization and can compromise those services and the data they hold. Backstage includes:

• Backstage software catalog for managing all your software (microservices, libraries, data pipelines, websites, ML models, etc.)
• Backstage software templates for quickly spinning up new projects and standardizing your tooling with your organization’s best practices
• Backstage techdocs for making it easy to create, maintain, find, and use technical documentation, using a “docs-like code” approach
• A growing ecosystem of open-source plugins that further expand its customizability and functionality

Backstage has three parts:

• Core: Base functionality built by core developers in the open-source project
• App: A Backstage app instance that is deployed and tweaked. It ties together core functionality with additional plugins. It’s built and maintained by app developers, usually by a productivity team at a company.
• Plugins: Additional functionality to make your Backstage app more useful. Plugins can be specific to a company or open-sourced/reusable.

Backstage started using the vm2 JavaScript sandbox library to mitigate another risk. Oxeye researchers found a vm2 sandbox escape vulnerability, causing the remote code execution on the hosting machine. Oxeye explained the steps for exploitation:

1. Access the range function constructor property, which provides access to the sandboxed Function constructor. We use that to create an immediately invoked function expression (IIFE) containing our exploit code (within Nunjucks’s rendering engine context).
2. Override the renderString function to contain our own implementation, This is so we can run in the context of the VM instead of Nunjucks. This is essential to exploit the vulnerability (here env is the Nunjucks reference).
3. Trigger an error by invoking an undefined function (triggerException). This causes NunjucksWorkflowRunner.render to call the SecureTemplater.render function a second time.
4. Save a copy of the original Error class.
5. Override the original Error class with a new empty class.
6. Implement the prepareStackTrace function under the newly created Error class.
7. Create an instance of the saved Error class and access its stack property. This triggers the built-in Node error module to call our implementation of the prepareStackTrace function.
8. Access the CallSite object supplied in the traces array, on which we invoke the getThis function. This gets us an object created outside the sandbox, allowing us to execute an arbitrary system command.

Oxeye said,

« If you’re using Backstage in your organization, we strongly recommend updating it to the latest version to defend against this vulnerability as soon as possible. 

Moreover, if you’re using a template engine in your application, make sure you choose the right one in relation to security. Robust template engines are extremely useful but might pose a risk to your organization. 

The root of any template-based VM escape is gaining JavaScript execution rights within the template. By using “logic-less” template engines such as Mustache, you can avoid introducing server-side template injection vulnerabilities. Separating the logic from the presentation as much as possible can greatly reduce your exposure to the most dangerous template-based attacks. »