Google Fixes GCP Composer Flaw That Could've Led to Remote Code Execution

A now-patched major security hole involving Google Cloud Platform (GCP) Composer may have been exploited to enable remote code execution on cloud servers by way of a supply chain attack method termed dependency misunderstanding.

The vulnerability has been dubbed CloudImposer by Tenable Research.

"The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool," security researcher Liv Matan stated in a report posted with The Hacker News.

Dependency confusion (aka substitution attack), which was first documented by security researcher Alex Birsan in February 2021, refers to a type of software supply chain compromise in which a package manager is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository.

So, a threat actor may launch a large-scale supply chain assault by uploading a counterfeit package to a public package repository with the same name as a package internally generated by organizations and with a higher version number.

This, in turn, enables the package management to unintentionally download the malicious package from the public repository instead of the private repository, thereby replacing the current package dependence with its rogue equivalent.

The bug found by Tenable is similar in that it could be misused to submit a malicious package to the Python Package Index (PyPI) repository with the name "google-cloud-datacatalog-lineage-producer-client," which could then be preinstalled on all Composer instances with elevated rights.

While Cloud Composer requires that the package in question be version-pinned (i.e., version 0.1.0), Tenable noticed that providing the "--extra-index-url" option during a "pip install" command prioritizes obtaining the package from the public registry, hence opening the door to dependency misunderstanding.

Armed with this access, attackers might execute code, exfiltrate service account credentials, and move laterally in the victim's environment to other GCP services.

Following responsible disclosure on January 18, 2024, it was resolved by Google in May 2024 by guaranteeing that the package is only deployed from a private repository. It has also taken the additional precaution of evaluating the package's checksum in order to certify its integrity and authenticate that it has not been tampered with.

The Python Packaging Authority (PyPA) is believed to have been aware of the vulnerabilities presented by the "--extra-index-url" option since at least March 2018, recommending users to forego using PyPI in circumstances when the internal package has to be pulled.

"Packages are expected to be unique up to name and version, so two wheels with the same package name and version are treated as indistinguishable by pip," a PyPA member stated at the time. "This is a deliberate feature of the package metadata, and not likely to change."

Google, as part of its patch, now also suggests that developers use the "--index-url" option instead of the "–extra-index-url" argument and that GCP users make use of an Artifact Registry virtual repository when required multiple repositories.

"The '--index-url' argument reduces the risk of dependency confusion attacks by only searching for packages in the registry that was defined as a given value for that argument," Matan explained.