A now-fixed critical security flaw affecting Google Cloud Platform (GCP) Composer could be used to achieve remote code execution on cloud servers using a supply chain attack technique called dependency confusion.
The vulnerability was given a code name CloudImposer by Tenable Research.
“The vulnerability could allow an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline orchestration tool,” security researcher Liv Mattan said in a the report shared with The Hacker News.
The dependency confusion (aka substitution attack) that was documented for the first time by security researcher Alex Birson in February 2021, refers to a type of software supply chain hack in which a package manager is tricked into pulling a malicious package from public storage instead of the desired file of the same name from internal storage.
Thus, a threat actor can mount a large-scale attack on the supply chain publishing business a fake package to a public package repository with the same name as a company-developed package and a higher version number.
This in turn forces the package manager unknowingly download malicious package from the public repository instead of the private repository, effectively replacing the existing package dependency with its fake counterpart.
The problem identified by Tenable is similar in that it can be abused to upload a malicious package to the Python Package Index (PyPI) repository named “google-cloud-datacatalog-lineage-producer-client”, which can then be pre-installed on all instances of Composer with elevated permits.
While Cloud Composer requires that the package in question be pinned to a version (ie version 0.1.0), Tenable found that using the “–extra-index-url” argument during the “pip install” prioritizes getting the package from the public registry, thus opening the door to dependency confusion.
Armed with this privilege, attackers can execute code, steal service account credentials, and laterally navigate the victim’s environment to other GCP services.
After a responsible disclosure on January 18, 2024, this was fixed by Google in May 2024, ensuring that the package is only installed from a private repository. It also added the extra precaution of checking the packet’s checksum to confirm its integrity and ensure it hasn’t been tampered with.
The Python Packaging Authority (PyPA) is said to have been aware of the risks associated with the “–extra-index-url” argument since at least March 2018, urging users not to use PyPI in cases where an internal package must be pulled.
“Packages are expected to be unique by name and version, so two circles with the same package name and version are treated as indistinguishable by a clause” — PyPA Member noted at that time. “This is an intentional feature of the package metadata and is unlikely to change.”
Google, as part of its fix, now also recommends that developers use the “–index-url” argument instead of the “–extra-index-url” argument, and that GCP customers use the artifact registry virtual repository when multiple repositories are required.
“The ‘–index-url’ argument reduces the risk of dependency confusion attacks by only looking for packages in the registry that have been specified as the default value for this argument,” Matan said.
