Google patches remote code execution (RCE) flaw in its Cloud Composer

Google has patched a critical remote code execution (RCE) vulnerability in its Cloud Composer service, known as "CloudImposer."

This vulnerability could have allowed attackers to run malicious code on millions of servers, potentially compromising both Google's own infrastructure and its customers' servers on the Google Cloud Platform (GCP).

The flaw, discovered by Tenable researchers in early August, originated from a flaw in the installation process of specific software packages within Google’s infrastructure. Attackers could have exploited this flaw to execute arbitrary code on both Google's servers and those of its customers. Key GCP services at risk included:

• Google App Engine
• Google Cloud Functions
• Google Cloud Composer

The vulnerability was caused by the use of a Python command option, --extra-index-url, which inadvertently exposed systems to dependency confusion attacks. Dependency confusion occurs when attackers upload malicious packages to a public registry (such as PyPI), tricking systems into downloading and installing the compromised software instead of the intended package.

An attacker exploiting the CloudImposer flaw could have uploaded a malicious package to the public PyPI repository, thereby gaining the ability to run arbitrary code on potentially millions of GCP servers. This flaw could have led to a "Jenga Tower effect" where the compromise of one cloud service could cascade through interconnected platforms, further increasing the attack's impact.

Google has updated its package installation process to prevent dependency confusion attacks. However, the large-scale nature of this flaw highlights the challenges of securing cloud environments.

Developers are strongly encouraged to examine their package installation workflows and avoid using --extra-index-url   to ensure they do not inadvertently expose systems to dependency confusion attacks.