Severe RCE vulnerability found in StackStorm DevOps platform

• A security researcher found a critical vulnerability in the REST API of the open-source DevOps automation software.
• Attackers can exploit this flaw to manipulate actions, workflows, get informaiton on internal IPs and execute arbitrary commands on the machines controlled by the StackStorm agent.

StackStorm, a popular runbook automation tool, contained a major severe vulnerability. A flaw designated as CVE-2019-9580, allowed attackers to mislead developers into executing arbitrary code in StackStorm services. As of now, the company has fixed the flaw by releasing a security patch.

Worth noting

• The vulnerability originated from a faulty processing task in StackStorm’s REST API Cross-Origin Resource Sharing (CORS) headers.
• All versions prior to version 2.9.3 are impacted by this flaw.
• As a result, this could allow attackers to perform Cross-site scripting (XSS) attacks.
• The patch issued for this vulnerability also extended support for new TLS/SSL options, as well as resolved other encryption issues.

How was this flaw discovered - Security researcher Barak Tawily discovered this vulnerability when he analyzed the remote servers managed by StackStorm agent, which carry out automated actions.

“As we can see the 'Access-Control-Allow-Origin' header returning in each request to StackStorm REST API, even when request not includes the origin header, quite weird but anyway might make sense… Then I started to send a malformed Origin header and I realized that the server can't handle it properly, and returning the header 'Access-Control-Allow-Origin: null',” mentioned Tawily, in a blog post.

The researcher also mentions that this improper handling of malformed requests can allow attackers to to manipulate actions, workflows, get informaiton on internal IPs and execute arbitrary commands on the machines controlled by the StackStorm agent.

What actions were taken - Soon after Tawily contacted StackStorm regarding the issue, the company responded by releasing a security update. Developers are advised to update to the latest version to resolve this issue.