StackStorm, aka "IFTTT for Ops," is a powerful event-driven automation tool for integration and automation across services and tools that allows developers to configure actions, workflows, and scheduled tasks, in order to perform some operations on large-scale servers.
For example, you can set instructions (if this, then that) on Stackstorm platform to automatically upload network packet files to a cloud-based network analyze service, like CloudShark, in events when your security software detects an intrusion or malicious activity in the network.
Since StackStorm executes actions—which can be anything, from the HTTP request to an arbitrary command—on remote servers or services that developers integrate for automated tasks, the platform runs with quite high-privileges.
release, the flaw resided in the way the StackStorm REST API improperly handled CORS (cross-origin resource sharing) headers, eventually enabling web browsers to perform cross-domain requests on behalf of the users/developers authenticated to StackStorm Web UI.
"Specifically what the StackStorm API returned for Access-Control-Allow-Origin. Prior to [StackStorm] 2.10.3/2.9.3, if the origin of the request was unknown, we would return null," StackStorm said in a blog post about the vulnerability.
"As Mozilla's documentation will show, and client behavior will back up, null can result in a successful request from an unknown origin in some clients. Allowing the possibility of XSS style attacks against the StackStorm API."
Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM
Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.Supercharge Your Skills
To exploit this vulnerability (CVE-2019-9580), an attacker simply needs to send a maliciously-crafted link to a victim, allowing it to "read/update/create actions and workflows, get internal IPs and execute a command on each machine which is accessible by StackStorm agent."
Tawily shared a proof-of-concept video with The Hacker News, demonstrating how the vulnerability in StackStorm could allow an attacker to take over any server accessible by the StackStorm agent.
The researcher shared his findings with the StackStorm team last week, which acknowledged the issue and immediately released StackStorm versions 2.9.3 and 2.10.3 to address the vulnerability within just two days.
DevOps teams are highly recommended to update StackStorm.