Researchers release exploit details for Backstage pre-auth RCE bug


Spotify Backstage header image

Older versions of the Spotify Backstage development portal builder are vulnerable to a critical (CVSS score: 9.8) unauthenticated remote code execution flaw allowing attackers to run commands on publicly exposed systems.

The problem lies in a vm2 sandbox escape issue that researchers at Oxeye disclosed in a report last month, warning about the extensive deployment of the particular JavaScript sandbox library.

As Backstage uses the vm2 library, it, too, was affected by the vulnerability via the supply chain.

Oxeye confirmed the impact in Backstage and alerted Spotify on August 18, 2022. The vendor then addressed it via an update (v 1.5.1) released on August 29, 2022, only a day after vm2 was patched with version 3.9.11.

The Oxeye team developed a working payload to attack Backstage’s Scaffolder plugin for sandbox escape and code execution, trying it out on a local deployment.

Payload injected in the function
Payload injected in the invoked function (Oxeye)

The malicious code was injected in a modified function of the rendering engine of the said plugin, run in the context of the virtual machine, and triggered by an error that invokes an undefined function.

The payload creates a CallSite object outside the sandbox, allowing the attacker to execute arbitrary commands on the host system.

Flaw impact and mitigation

Oxeye’s scans on Shodan revealed that 546 publicly exposed Backstage instances on the internet could be exploitable, most based in the United States.

While this number isn’t large, Backstage is used by many large firms, including Spotify, Netflix, Epic Games, Jaguar/Land Rover, Mercedes Benz, American Airlines, Splunk, TUI, Oriflame, Twilio, SoundCloud, HBO Max, HP Inc, Siemens, VMware, and IKEA. 

Due to this, even a single vulnerable instance could be enough to cause a significant breach in a high-profile company.

To make matters worse, Backstage APIs are available without authentication by default. Unless the instances are blocked by network filtering rules or identity management, they could be accessed by any remote user.

This means that guest users could potentially attack Internet-exposed instances without needing credentials.

“When trying to send requests directly to the backend API server of some of the internet-exposed instances, we found a handful did not require any form of authentication or authorization,” warned the Oxeye researchers in their report.

“Thus we concluded the vulnerability could be exploited without authentication on many instances.”

Backstage attack flow diagram
Backstage attack flow diagram (Oxeye)

Currently, the number of instances running Backstage versions before 1.5.1 is unknown.

All system administrators are advised to upgrade to the latest release, Backstage version 1.7.2, which came out last week.

Oxeye also recommends those using template engines in their apps limit their choices to “logic-less” engines like Mustache, which don’t introduce server-side template injection and JavaScript execution risks.

Finally, the researchers warn to enable both front and backend authentication to prevent unauthorized access to Backstage APIs.