Users of the popular open-source DevOps automation software StackStorm are advised to update to the recently released 2.10.3 and 2.9.3 versions, which address a critical vulnerability (CVE-2019-9580) in the platform that could allow remote attackers to perform arbitrary commands on targeted servers.
StackStorm, an event-driven DevOps automation tool, enables developers to set up scheduled tasks as well as construct specific actions and workflows for large-scale servers. For StackStorm to do all these tasks on behalf of remote servers handled by its agent, it requires high-privilege access to systems — something an attacker can exploit.
The vulnerability was found by application security researcher Barak Tawily. According to his blog, the flaw lies in the manner in which StackStorm’s REST API deals with cross-origin resource sharing (CORS) headers. The Access-Control-Allow-Origin header pinpoints which domains can access a site’s resources. This header could also let malicious sites access those same resources in a cross-site tactic if it is left improperly configured.
Prior to the release of the updated versions, the StackStorm API would pull up a “null” result if the origin of the request using the Access-Control-Allow-Origin header was unknown — thus, opening up the API to cross-site scripting (XSS) style attacks.
As reported by The Hacker News, because the vulnerability enables web browsers to perform cross-domain requests on behalf of developers authenticated to the StackStorm Web UI, cybercriminals can abuse it by sending a malicious link to a victim. An attacker can then take over any server and read, update, and create actions and workflows, get internal IP information, as well as execute commands on StackStorm-accessible machines.