September 16, 2024 at 09:27AM
A critical security flaw in Google Cloud Platform Composer, now patched, could have allowed remote code execution via a supply chain attack called dependency confusion. This could have led to a large-scale supply chain attack by tricking the package manager into downloading a malicious package. The issue was fixed by Google in May 2024.
The meeting notes from Ravie Lakshmanan on Sep 16, 2024, discuss a critical security flaw in Google Cloud Platform (GCP) Composer, which has now been patched. The flaw could have been exploited to achieve remote code execution through a technique known as dependency confusion. This vulnerability, named CloudImposer by Tenable Research, could have allowed an attacker to hijack an internal software dependency pre-installed on each Google Cloud Composer pipeline-orchestration tool.
Furthermore, the vulnerability could enable a threat actor to stage a large-scale supply chain attack by publishing a counterfeit package to a public package repository with the same name as a package internally developed by companies and with a higher version number, causing the package manager to unwittingly download the malicious package from the public repository instead of the private repository.
Tenable found that using the “–extra-index-url” argument during a “pip install” command prioritizes fetching the package from the public registry, thereby opening the door to dependency confusion. As a result, attackers could execute code, exfiltrate service account credentials, and move laterally in the victim’s environment to other GCP services.
The vulnerability was fixed by Google in May 2024 by ensuring that the package is only installed from a private repository. Google also recommends that developers use the “–index-url” argument instead of the “–extra-index-url” argument and that GCP customers make use of an Artifact Registry virtual repository when requiring multiple repositories.
This is a significant development for GCP users and underscores the importance of carefully managing package dependencies and repository usage to mitigate the risk of supply chain attacks and related vulnerabilities.