A researcher has discovered a vulnerability in the open source platform StackStorm that could allow attackers to trick developers into executing arbitrary commands. StackStorm is a powerful automation tool for integration and automation that allows developers to configure actions, workflows, and scheduled tasks, in order to perform operations on large-scale servers.
You can set instructions (if this, then that) on Stackstorm platform to upload network packet files to a cloud-based network, like CloudShark, in events when your security software detects an intrusion or malicious activity in the network.
Since the platform executes actions—which can be anything, from the HTTP request to arbitrary command—on remote servers that developers integrate for automated tasks, the platform runs with quite high-privileges.
An application security researcher at AppSec Labs, shared with Hack Hex prior to the release, the flaw resided in the way the REST API improperly handled CORS (cross-origin resource sharing) headers, enabling web browsers to perform cross-domain requests on behalf of the users/developers authenticated to StackStorm Web UI.
“Specifically what the StackStorm API returned for Access-Control-Allow-Origin. Prior to [StackStorm] 2.10.3/2.9.3, if the origin of the request was unknown, we would return null,” StackStorm said in a blog post about the vulnerability.
“As Mozilla’s documentation will show, and client behavior will back up, null can result in a successful request from an unknown origin in some clients. Allowing the possibility of XSS style attacks against the StackStorm API.”
The Access-Control-Allow-Origin header is critical to resource security that specifies which domains can access a site’s resources, which if left misconfigured on a site, could allow other malicious sites to access its resources in a cross-site manner.
To exploit this vulnerability (CVE-2019-9580), an attacker simply needs to send a link to a victim, allowing it to “read/update/create actions and workflows, get internal IPs and execute a command on each machine which is accessible by StackStorm agent.”
The researcher shared his findings with the StackStorm team last week, which acknowledged the issue and immediately released StackStorm versions 2.9.3 and 2.10.3 to address the vulnerability within just two days.