Researchers uncover RCE exploit in Google Cloud, millions of servers at risk

There was a major flaw in Google Cloud Platform (GCP) that could have allowed hackers to run malicious code remotely, on millions of servers and underlying systems. The flaw was discovered by cybersecurity researchers from Tenable, who reported their findings to Google. The company has since addressed the issue and plugged the hole.

According to a press release shared with TechRadar Pro earlier this week, Tenable’s researchers found what’s known as a ‘dependency confusion’ vulnerability, and they dubbed it CloudImposer.

The flaw could have allowed threat actors to execute code on “potentially millions of GCP servers and their customers’ systems,” they said. App Engine, Cloud Function, and Cloud Composer, were said to be most impacted by this vulnerability.

Blast radius “immense”

The flaw was found in GCP’s Composer dependency installation process, which allowed attackers to upload a malicious package to PyPI, which would then be preinstalled on all Composer instances – with high permissions.

As a result, malicious actors could execute code remotely, exfiltrate service account credentials, and move laterally to other GCP services.

Tenable said that its researchers found the bug while running in-depth analysis of documentation from both GCP and the Python Software Foundation. The vulnerability could have resulted in supply chain attacks in the cloud which, as they said, can be “exponentially more damaging” compared to on-prem environments. Since a single malicious package can quickly spread across multiple networks, millions of people could be exposed.

“The blast radius of CloudImposer is immense,” commented Liv Matan, senior research engineer at Tenable. “By discovering and disclosing this vulnerability, we’ve closed a major door that attackers could have exploited on a massive scale.”

Tenable also took the opportunity to slam Google for its “startling lack of awareness and preventive measures” against what it scribes as an “attack technique that’s been known for years”.

More from TechRadar Pro

https://cdn.mos.cms.futurecdn.net/6tqRVDq2EAcaFcNtDomiCe-1200-80.jpg

Source link

ICYMI: the week’s 8 biggest tech stories from the Oura Ring 4 to the Verzion network outage

3 things to look for on Amazon Prime Day, as well as how to get the best deals possible

Bambu Lab X1-Carbon 3D printer review

Shark PowerDetect Robot Vacuum and Mop review: a robot vacuum that detects dirt

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Researchers uncover RCE exploit in Google Cloud, millions of servers at risk

ICYMI: the week’s 8 biggest tech stories from the Oura Ring 4 to the Verzion network outage

3 things to look for on Amazon Prime Day, as well as how to get the best deals possible

Bambu Lab X1-Carbon 3D printer review

Shark PowerDetect Robot Vacuum and Mop review: a robot vacuum that detects dirt

Leave a reply Cancel reply