Protecting customer data in the cloud means detecting vulnerabilities that affect not just one customer, but multiple enterprises and industries. SADA’s Google Cloud security team recently discovered a new Google Cloud Platform bug that could have led to security breaches within a public cloud environment. Google Cloud successfully resolved the issue and prevented potential widespread breaches.
The vulnerability was present in a Google Cloud Platform API known as the Cloud Asset Inventory API. All Google Cloud customers that had enabled this API with principals who had been granted cloudasset.assets.searchAllResources permissions on the applicable Google Cloud environment were exposed to this vulnerability.
SADA security experts disclosed this privilege escalation vulnerability through the Google Bug Hunters Program, a private and secure platform that allows researchers to ethically disclose software vulnerabilities found within Google products. Upon reproducing the error found by the SADA team, Google Cloud took quick action to patch the vulnerability.
SADA’s security team detected the vulnerability with regards to a persistent access mechanism known as Service Account private keys within Google Cloud. While the vulnerability has been fixed by Google Cloud, customers may have been previously impacted, and the threat may have persisted after Google Cloud’s remediation.
We’ve assembled a quick FAQ below to address questions Google Cloud customers may have. We’ve also prepared a technical deep-dive blog post for engineers who want to understand the vulnerability and how SADA and Google Cloud addressed it in greater detail.
“Supporting our customers as they transform their organizations in the cloud means constant vigilance when it comes to security,” says SADA CTO Miles Ward. “No public cloud is immune from vulnerabilities, and we all must act fast, collaborate openly, and communicate transparently when we spot a vulnerability. We commend Google Cloud for how quickly and thoroughly they responded when we brought this bug to their attention. We’re proud of the work SADA’s engineers put into ensuring that our customers’ data remains safe.”
SADA’s security team is available to offer guidance to organizations of any size, in any industry. Contact us today to start ensuring that your cloud platform is up-to-date with the latest security practices and prepared to confront evolving threat profiles.
What can my organization do to ensure it hasn’t been affected by this vulnerability?
Out of an abundance of caution, we recommend that organizations search for potential occurrences of the exploit technique, abnormal Service Account behavior, and consider rotating their Service Account user-managed keys. Google Cloud environments with data access logs enabled for ADMIN_READ activities on the Cloud Asset Inventory API will be able to search for potential instances of the particular exploitation attempt.
Note that Google Cloud’s Security Command Center Premium features a number of built in detectors for anomalous behavior and sensitive actions that may detect any abnormal behavior stemming from this vulnerability.
Was my Google Cloud environment vulnerable to Asset Key Thief?
All Google Cloud customers that had enabled the Cloud Asset Inventory API and with principals who had been granted cloudasset.assets.searchAllResources permissions on the applicable Google Cloud environment were exposed to this vulnerability.
Does this mean Google Cloud is insecure?
No. All software has vulnerabilities, and Google Cloud is no exception. Google Cloud responded to the incident swiftly and transparently, highlighting their commitment to security for customers.
Can SADA help me search my organization’s environment?
Yes. SADA’s Cloud Security Confidence Assessment can help you ensure that your organization’s cloud architecture is secure and fortified against evolving cyberattacks. During the assessment process, your dedicated SADA security team searches your audit logs for unexpected behavior, like what would occur if the Asset Key Thief exploitation was used in your Google Cloud organization.