Google Cloud Platform (GCP) had a major flaw that could have allowed hackers to remotely execute malicious code on millions of servers and underlying systems. The flaw was discovered by cybersecurity researchers at Tenable, who reported their findings to Google. The company has since addressed the issue and plugged the hole.
According to a press release shared with TechRadar Pro Earlier this week, Tenable researchers found what's known as a “dependency confusion” vulnerability and dubbed it CloudImposer.
The flaw could have allowed threat actors to execute code on “potentially millions of GCP servers and their customers’ systems,” they said. App Engine, Cloud Function, and Cloud Composer were the most affected by this vulnerability.
“Huge” blast radius
The flaw was found in GCP's Composer dependency installation process, allowing attackers to upload a malicious package to PyPI, which would then be pre-installed on all Composer instances, with elevated permissions.
As a result, malicious actors could execute code remotely, extract service account credentials, and move laterally to other GCP services.
Tenable said its researchers found the bug while conducting a deep analysis of documentation from both GCP and the Python Software Foundation. The vulnerability could have led to cloud supply chain attacks that, it said, can be “exponentially more damaging” compared to on-premises environments. Since a single malicious packet can quickly spread across multiple networks, millions of people could be exposed.
“CloudImposer’s reach is immense,” said Liv Matan, Senior Research Engineer at Tenable. “By discovering and disclosing this vulnerability, we closed an important door that attackers could have exploited on a large scale.”
Tenable also took the opportunity to criticize Google for its “shocking lack of awareness and preventative measures” against what it describes as an “attack technique that has been known for years.”
