A vulnerability in Spotify’s open-source Backstage project allowed researchers to exploit virtual machine (VM) sandbox escape to perform Remote Code Execution (RCE).
Researchers discovered a vulnerability that could have allowed threat actors to exploit a VM sandbox escape using a third-party library. According to cybersecurity firm Oxeye, the critical flaw could lead to data loss if exploited.
Backstage is a project incubated by Spotify and is often used for building developer portals. It is used by a number of organizations, including Netflix, American Airlines, Epic Games, and others.
“Backstage can hold integration details to many organization systems, such as Prometheus, Jira, ElasticSearch, and others. Thus, successful exploitation has critical implications for any affected organization and can compromise those services and the data they hold,” researchers said in a blog post.
After executing the payload locally, researchers went online to see what impact the vulnerability would have if exploited in the wild. Using Shodan, a search engine that allows looking for various devices connected to the internet, they discovered over 500 exposed Backstage instances.
“We found a handful did not require any form of authentication or authorization. Thus, we concluded the vulnerability could be exploited without authentication on many instances,” researchers said.
To test how the flaw could be exploited, the team set up a local Backstage instance that requires authentication by following guidelines provided by the platform. They discovered that authentication was only enforced on the client side.
Sending requests to the backend API server of exposed instances revealed that some did not require any authentication or authorization.
“Thus, we concluded the vulnerability could be exploited without authentication on many instances,” researchers said.
Oxeye reported the flaw using Spotify’s bug bounty program, and the Backstage team responded by patching the flaw. Spotify ranked the vulnerability with a high severity CVSS score of 9.8.
More from Cybernews:
Subscribe to our newsletter