[ad_1]
Hunters researchers famous the vulnerability may result in privilege escalation. Google stated the report “doesn’t establish an underlying safety situation in our merchandise.”
Cybersecurity researchers from the agency Hunters found a vulnerability in Google Workspace that might permit undesirable entry to Workspace APIs. The flaw is important in that it may let attackers use privilege escalation to realize entry that may in any other case solely be obtainable to customers with Tremendous Admin entry. Hunters named this safety flaw DeleFriend.
Bounce to:
Vulnerability uncovered in Google’s domain-wide delegation
Based on the Hunters group, the vulnerability relies on Google Workspace’s position in managing person identities throughout Google Cloud companies. Area-wide delegation connects identification objects from both Google Workspace Market or a Google Cloud Platform Service Account to Workspace.
Area-wide delegation can be utilized by attackers in two major methods: to create a brand new delegation after having gained entry to a Tremendous Admin privilege on the goal Workspace setting by one other assault, or to “enumerate profitable combos of service account keys and OAuth scopes,” Hunters stated. This second manner is the novel methodology the researchers have found. Yonatan Khanashvilli, risk searching knowledgeable at Group Axon at Hunters, posted a way more detailed clarification of DeleFriend.
Response from Google
Hunters disclosed this flaw to Google in August 2023 and wrote, “Google is at the moment reviewing the problem with their Product group to evaluate potential actions primarily based on our suggestions.”
An nameless Google consultant advised The Hacker Information in November 2023, “This report doesn’t establish an underlying safety situation in our merchandise. As a finest observe, we encourage customers to ensure all accounts have the least quantity of privilege doable (see steering right here). Doing so is essential to combating a majority of these assaults.”
Why this Google Workspace vulnerability is especially harmful
Hunters stated this vulnerability is especially harmful as a result of it’s long-term (GCP Service account keys should not have expiry dates by default), straightforward to cover and onerous to detect. As soon as inside an account with Tremendous Admin privileges, attackers may probably view emails in Gmail, view somebody’s schedule in Google Calendar or exfiltrate information from Google Drive.
“The potential penalties of malicious actors misusing domain-wide delegation are extreme. As a substitute of affecting only a single identification, as with particular person OAuth consent, exploiting DWD with present delegation can impression each identification inside the Workspace area,” stated Khanashvili within the press launch.
SEE: Overworked IT execs in Australian small companies have a number of choices for coping with cyber safety. (TechRepublic)
Methods to detect and defend towards DeleFriend
Along with guaranteeing privileges are arrange correctly, as Google notes, IT admins may create every service account in a separate undertaking if doable, Hunters stated. Different suggestions from Hunters to guard towards DeleFriend exploitation are:
- Restrict OAuth scopes in delegations as a lot as doable, utilizing the precept of least privilege.
- Keep away from administrative scopes corresponding to https://www.googleapis.com/auth/admin.
- Focus detection engineering and risk searching practices on suspicious delegations and a number of non-public key creations over a brief period of time.
- Preserve safety posture and hygiene finest practices.
Hunters created a proof-of-concept device for working the DeleFriend exploitation methodology manually. The device works by enumerating GCP Tasks utilizing the Useful resource Supervisor API, iterating and enumerating on GCP Service account assets and undertaking assets, and investigating particular roles and permissions from there, together with extracting non-public key worth from a privateKeyData attribute key (Determine A). The top result’s a JWT object, which will be exchanged with a short lived entry token to permit entry to Google APIs. Konanshvili’s weblog put up comprises extra element.
Determine A
The device is meant for researchers with the intention to detect misconfigurations, and “improve consciousness round OAuth delegation assaults in GCP and Google Workspace and to enhance the safety posture of organizations that use the Area-Extensive-Delegation characteristic,” Hunters wrote.
Be aware: TechRepublic reached out to Google for extra info.
[ad_2]