Hunters researchers famous the vulnerability may result in privilege escalation. Google stated the report “doesn’t determine an underlying safety problem in our merchandise.”
Cybersecurity researchers from the agency Hunters found a vulnerability in Google Workspace that would permit undesirable entry to Workspace APIs. The flaw is important in that it may let attackers use privilege escalation to achieve entry that might in any other case solely be out there to customers with Tremendous Admin entry. Hunters named this safety flaw DeleFriend.
Leap to:
Vulnerability uncovered in Google’s domain-wide delegation
In line with the Hunters staff, the vulnerability is predicated on Google Workspace’s position in managing person identities throughout Google Cloud providers. Area-wide delegation connects id objects from both Google Workspace Market or a Google Cloud Platform Service Account to Workspace.
Area-wide delegation can be utilized by attackers in two foremost methods: to create a brand new delegation after having gained entry to a Tremendous Admin privilege on the goal Workspace surroundings via one other assault, or to “enumerate profitable mixtures of service account keys and OAuth scopes,” Hunters stated. This second approach is the novel technique the researchers have found. Yonatan Khanashvilli, risk searching professional at Crew Axon at Hunters, posted a way more detailed clarification of DeleFriend.
Response from Google
Hunters disclosed this flaw to Google in August 2023 and wrote, “Google is at the moment reviewing the problem with their Product staff to evaluate potential actions based mostly on our suggestions.”
An nameless Google consultant advised The Hacker Information in November 2023, “This report doesn’t determine an underlying safety problem in our merchandise. As a finest apply, we encourage customers to ensure all accounts have the least quantity of privilege doable (see steerage right here). Doing so is essential to combating a lot of these assaults.”
Why this Google Workspace vulnerability is especially harmful
Hunters stated this vulnerability is especially harmful as a result of it’s long-term (GCP Service account keys should not have expiry dates by default), simple to cover and arduous to detect. As soon as inside an account with Tremendous Admin privileges, attackers may doubtlessly view emails in Gmail, view somebody’s schedule in Google Calendar or exfiltrate knowledge from Google Drive.
“The potential penalties of malicious actors misusing domain-wide delegation are extreme. As an alternative of affecting only a single id, as with particular person OAuth consent, exploiting DWD with current delegation can affect each id throughout the Workspace area,” stated Khanashvili within the press launch.
SEE: Overworked IT professionals in Australian small companies have a number of choices for coping with cyber safety. (TechRepublic)
Easy methods to detect and defend in opposition to DeleFriend
Along with guaranteeing privileges are arrange correctly, as Google notes, IT admins may create every service account in a separate venture if doable, Hunters stated. Different suggestions from Hunters to guard in opposition to DeleFriend exploitation are:
- Restrict OAuth scopes in delegations as a lot as doable, utilizing the precept of least privilege.
- Keep away from administrative scopes akin to https://www.googleapis.com/auth/admin.
- Focus detection engineering and risk searching practices on suspicious delegations and a number of non-public key creations over a brief period of time.
- Keep safety posture and hygiene finest practices.
Hunters created a proof-of-concept software for operating the DeleFriend exploitation technique manually. The software works by enumerating GCP Tasks utilizing the Useful resource Supervisor API, iterating and enumerating on GCP Service account sources and venture sources, and investigating particular roles and permissions from there, together with extracting non-public key worth from a privateKeyData attribute key (Determine A). The top result’s a JWT object, which may be exchanged with a brief entry token to permit entry to Google APIs. Konanshvili’s weblog publish incorporates extra element.
Determine A
The software is meant for researchers as a way to detect misconfigurations, and “improve consciousness round OAuth delegation assaults in GCP and Google Workspace and to enhance the safety posture of organizations that use the Area-Vast-Delegation characteristic,” Hunters wrote.
Be aware: TechRepublic reached out to Google for extra data.
