A now-patched critical security flaw impacting Google Cloud Platform (GCP) Composer could have been exploited to achieve remote code execution on cloud servers by means of a supply chain attack technique called dependency confusion.
The vulnerability has been codenamed CloudImposer by Tenable Research.
“The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool,” security researcher Liv Matan said in a report shared with The Hacker News.
Dependency confusion (aka substitution attack), which was first documented by security researcher Alex Birsan in February 2021, refers to a type of software supply chain compromise in which a package manager is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository.
So, a threat actor could stage a large-scale supply chain attack by publishing a counterfeit package to a public package repository with the same name as a package internally developed by companies and with a higher version number.
This, in turn, causes the package manager to unknowingly download the malicious package from the public repository instead of the private repository, effectively replacing the existing package dependency with its rogue counterpart.
The problem identified by Tenable is similar in that it could be abused to upload a malicious package to the Python Package Index (PyPI) repository with the name “google-cloud-datacatalog-lineage-producer-client,” which could then be preinstalled on all Composer instances with elevated permissions.
While Cloud Composer requires that the package in question is version-pinned (i.e., version 0.1.0), Tenable found that using the “–extra-index-url” argument during a “pip install” command prioritizes fetching the package from the public registry, thereby opening the door to dependency confusion.
Armed with this privilege, attackers could execute code, exfiltrate service account credentials, and move laterally in the victim’s environment to other GCP services.
Following responsible disclosure on January 18, 2024, it was fixed by Google in May 2024 by ensuring that the package is only installed from a private repository. It has also added the extra precaution of verifying the package’s checksum in order to confirm its integrity and validate that it has not been tampered with.
The Python Packaging Authority (PyPA) is said to have been aware of the risks posed by the “–extra-index-url” argument since at least March 2018, urging users to skip using PyPI in cases where the internal package needs to be pulled.
“Packages are expected to be unique up to name and version, so two wheels with the same package name and version are treated as indistinguishable by pip,” a PyPA member noted at the time. “This is a deliberate feature of the package metadata, and not likely to change.”
Google, as part of its fix, now also recommends that developers use the “–index-url” argument instead of the “–extra-index-url” argument and that GCP customers make use of an Artifact Registry virtual repository when requiring multiple repositories.
“The ‘–index-url’ argument reduces the risk of dependency confusion attacks by only searching for packages in the registry that was defined as a given value for that argument,” Matan said.