Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Severe RCE vulnerability affected popular StackStorm Automation Software

The security researcher Barak Tawilyhas discovered a severe vulnerability, tracked as CVE-2019-9580, in the popular, open source event-driven platform StackStorm. According to the expert, the flaw could be exploited by a remote attacker to trick developers into executing arbitrary commands on targeted services. StackStorm has been used to automate workflows in many industries, it allows […]

StackStorm

The security researcher Barak Tawilyhas discovered a severe vulnerability, tracked as CVE-2019-9580, in the popular, open source event-driven platform StackStorm.

According to the expert, the flaw could be exploited by a remote attacker to trick developers into executing arbitrary commands on targeted services. StackStorm has been used to automate workflows in many industries, it allows developers to configure actions, workflows, and scheduled tasks, to perform some operations on large-scale servers.

The ability of StackStorm of executing actions could be abused by a remote attacker with the knowledge of the flaw.

“In this blogpost I will describe how can you cause RCE on targeted servers which only requires an authenticated user browse to malicious webpage.” reads a blog post published by the expert.

The vulnerability tied the way the StackStorm REST API improperly handled CORS (cross-origin resource sharing) headers, eventually enabling web browsers to perform cross-domain requests on behalf of
authenticated users/developers.

“As we can see the “Access-Control-Allow-Origin” header returning in each request to StackStorm REST API, even when request not includes the origin header, quite weird but anyway might make sense… ” wrote the expert.

“Then I started to send a malformed Origin header and I realized that the server cant handle it properly, and returning the header “Access-Control-Allow-Origin: null”: “

StackStorm

The expert noticed that the StackStorm API returned for Access-Control-Allow-Origin a null value if the origin of the request was unknown and the version is prior of 2.10.3/2.9.3 release.

“To simplify, the RFC defines, in case the server got a malformed origin which cannot be serialized, set the string “null” as the Origin header. Now we can understand what is the root cause for all this, that’s makes me laugh a bit because the RFC defines one thing, but Mozilla best practices saying to avoid using it (make sense anyway).” explained the expert.

The Access-Control-Allow-Origin header allows to determine which domains can access the resources of a site, leaving it misconfigured could allows attackers to gain access to the same resources.

In order to exploit the flaw, an attacker just needs to trick victims into clicking on a maliciously-crafted link, it this way it will be able to read/update/create actions and workflows, get internal IPs and execute a command on each machine which is accessible by StackStorm agent.

Tawily reported his findings to StackStorm team last week that quickly addressed it with the release of StackStorm versions 2.9.3 and 2.10.3.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – StackStorm, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]