CVE-2021-32090 – CVE-2021-32090 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2021-32090?

CVE-2021-32090 has a CVSS score of 9.8 (CRITICAL). CVE-2021-32090 is a critical command injection vulnerability in LocalStack's dashboard component that allows attackers to execute arbitrary shell commands via the functionName parameter. This affects LocalStack 0.12.6 installations, potentially giving attackers complete control over affected systems. Organizations using LocalStack for local AWS service emulation are at risk.

📋 TL;DR

CVE-2021-32090 is a critical command injection vulnerability in LocalStack's dashboard component that allows attackers to execute arbitrary shell commands via the functionName parameter. This affects LocalStack 0.12.6 installations, potentially giving attackers complete control over affected systems. Organizations using LocalStack for local AWS service emulation are at risk.

💻 Affected Systems

Products:

LocalStack

Versions: 0.12.6

Operating Systems: All platforms running LocalStack

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the dashboard component which is typically accessible via web interface. Any LocalStack installation with dashboard enabled is vulnerable.

📦 What is this software?

Localstack by Localstack

View all CVEs affecting Localstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, data exfiltration, lateral movement, and complete control over the LocalStack environment and underlying host.

🟠

Likely Case

Unauthorized command execution leading to data theft, service disruption, or deployment of malware/backdoors in the LocalStack environment.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring preventing successful exploitation.

🌐 Internet-Facing: HIGH - If LocalStack dashboard is exposed to the internet, attackers can easily exploit this vulnerability remotely.

🏢 Internal Only: HIGH - Even internally, any user with network access to the dashboard can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers can send crafted requests to the functionName parameter to execute arbitrary commands. Multiple security researchers have demonstrated working exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.7 and later

Vendor Advisory: https://github.com/localstack/localstack/releases/tag/v0.12.7

Restart Required: Yes

Instructions:

1. Stop LocalStack service. 2. Update LocalStack to version 0.12.7 or later using pip: 'pip install --upgrade localstack'. 3. Restart LocalStack service.

🔧 Temporary Workarounds

Disable Dashboard Component

all

Disable the vulnerable dashboard component to prevent exploitation

export SERVICES=dashboard
localstack start --no-dashboard

Network Access Restriction

linux

Restrict network access to LocalStack dashboard port (typically 8080)

iptables -A INPUT -p tcp --dport 8080 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

Immediately restrict network access to LocalStack dashboard to trusted IPs only
Disable the dashboard component entirely and use LocalStack without it

🔍 How to Verify

Check if Vulnerable:

Check LocalStack version: 'localstack --version' or examine package version. If version is 0.12.6, system is vulnerable.

Check Version:

localstack --version

Verify Fix Applied:

Verify version is 0.12.7 or later: 'localstack --version'. Test dashboard functionality to ensure it works without command injection.

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands in LocalStack logs
Suspicious functionName parameter values containing shell metacharacters
Unexpected process execution from LocalStack context

Network Indicators:

HTTP requests to dashboard endpoint with shell commands in parameters
Outbound connections from LocalStack to unexpected destinations

SIEM Query:

source="localstack.log" AND ("functionName" AND ("|" OR ";" OR "$" OR "`" OR "&&"))

📊 Metadata

CVE ID: CVE-2021-32090

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: May 7, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.sonarsource.com/hack-the-stack-with-localstack Exploit,Third Party Advisory
https://portswigger.net/daily-swig/localstack-zero-day-vulnerabilities-chained-to-achieve-remote-takeover-of-local-instances Exploit,Third Party Advisory
https://blog.sonarsource.com/hack-the-stack-with-localstack Exploit,Third Party Advisory
https://portswigger.net/daily-swig/localstack-zero-day-vulnerabilities-chained-to-achieve-remote-takeover-of-local-instances Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32090, you might also want to check these: