According to the expert, the flaw could be exploited by a remote attacker to trick developers into executing arbitrary commands on targeted services. StackStorm has been used to automate workflows in many industries, it allows developers to configure actions, workflows, and scheduled tasks, to perform some operations on large-scale servers.
The ability of StackStorm of executing actions could be abused by a remote attacker with the knowledge of the flaw.
The vulnerability tied the way the StackStorm REST API improperly handled CORS (cross-origin resource sharing) headers, eventually enabling web browsers to perform cross-domain requests on behalf of
“As we can see the “Access-Control-Allow-Origin”
“Then I started to send a malformed Origin header and I realized that the server
The expert noticed that the StackStorm API returned for Access-Control-Allow-Origin a null value if the origin of the request was unknown and the version is prior of 2.10.3/2.9.3 release.
“To simplify, the RFC defines, in case the server got a malformed origin which cannot be serialized, set the string “null” as the Origin header. Now we can understand what is the root cause for all this,
The Access-Control-Allow-Origin header allows
In order to exploit the flaw, an attacker just needs to trick victims into clicking on a maliciously-crafted link, it this way it will be able to read/update/create actions and workflows, get internal IPs and execute a command on each machine which is accessible by StackStorm agent.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.