Researchers discover RCE exploit in Google Cloud, millions of servers at risk
A major flaw existed in Google Cloud Platform (GCP) that allowed hackers to remotely execute malicious code on millions of servers and underlying systems. The flaw was discovered by cybersecurity researchers at Tenable, who reported their findings to Google. The company has since addressed the issue and closed the hole.
According to a press release shared with TechRadar Pro Earlier this week, researchers from Tenable discovered a so-called “dependency confusion” vulnerability, which they named CloudImposer.
The flaw would have allowed threat actors to execute code on “potentially millions of GCP servers and their customers’ systems,” they said. App Engine, Cloud Function and Cloud Composer were said to be the most affected by the vulnerability.
Explosion radius “immense”
The vulnerability was found in GCP’s Composer dependency installation process, which allowed attackers to upload a malicious package to PyPI. This package was then pre-installed on all Composer instances, with elevated permissions.
This allowed attackers to execute code remotely, steal service account credentials, and move laterally to other GCP services.
Tenable said its researchers discovered the bug during an in-depth review of documentation from both GCP and the Python Software Foundation. The vulnerability could have led to cloud supply chain attacks, which they said could be “exponentially more damaging” compared to on-prem environments. Because a single malicious package can quickly propagate across multiple networks, millions of people could be exposed.
“The explosion radius of CloudImposer is immense,” said Liv Matan, senior research engineer at Tenable. “By discovering and disclosing this vulnerability, we closed an important door that attackers could have exploited on a massive scale.”
Tenable also took the opportunity to criticize Google for its “surprising lack of awareness and preventative measures” against what it describes as an “attack technique that has been known for years.”