A critical security flaw affecting Google Cloud Platform (GCP) Composer has been successfully patched, preventing the potential exploit of remote code execution through a supply chain attack known as dependency confusion.
The vulnerability, dubbed CloudImposer by Tenable Research, posed a significant threat to each Google Cloud Composer pipeline-orchestration tool.
According to security researcher Liv Matan, the flaw could have been leveraged by attackers to compromise an internal software dependency installed by Google on these Composer instances, as shared in a report to The Hacker News.
Dependency confusion, initially identified by security researcher Alex Birsan in 2021, involves the manipulation of package managers to retrieve malicious packages from public repositories instead of the intended files from internal repositories.
This flaw could enable threat actors to conduct large-scale supply chain attacks by uploading counterfeit packages to public repositories, as detailed in a publication.
Furthermore, the issue reported by Tenable relates to the ability to introduce a malicious package to the Python Package Index (PyPI) repository, leading to potential code execution and lateral movement within GCP services.
Google addressed this security concern by securing Composer instances to install the package solely from a private repository and validating the package’s integrity to prevent tampering.
Google now recommends the use of the “–index-url” argument over “–extra-index-url” to mitigate the risk of dependency confusion attacks and advises GCP customers to utilize an Artifact Registry virtual repository when working with multiple repositories.
By implementing these fixes, Google aims to enhance the security of its cloud services and safeguard against potential threats arising from supply chain vulnerabilities.