Google Cloud shores up log permissions for builder bot
ALSO: Amazon's child-sized COPPA fine, smart tech security labels coming to the US, and this week's critical vulns
Infosec in brief Google Cloud has fixed an issue in which it gave away a little too much info in its audit logs to a service account.
Whenever a GCP project enables the Cloud Build API, a Cloud Build service account is created within the project to carry out builds for that customer.
That service account had access to its project's private audit logs, which include details of the permissions assigned to the project's GCP accounts. That information – which is just details of who can do what – would be useful for an intruder, as it would indicate which accounts are worth targeting to get deeper into an organization's infrastructure.
Someone within a project able to impersonate its Cloud Build service account could therefore look up what other accounts had access to. Last month, Google Cloud closed off that route by removing the service account's ability to access the private audit log.
IT security outfit Orca, which spotted and reported this issue, wrote about the oversight this month. In Orca's view, an intruder can still get up to no good and do things like meddle with images in the project's artifact registry and inject malicious code – if they are able to impersonate the Google Cloud Build service and escalate privileges.
We note that Rhino Security Labs documented a similar attack around 2019. Essentially, make sure you're aware of which accounts have which privileges, and ensure the risk from those accounts being hijacked or impersonated is minimized as much as possible.
"We appreciate the work of the researchers and have incorporated a fix based on their report as outlined in a security bulletin issued in early June," Google told us.
Critical vulnerabilities of the week
Adobe leads the critical vulnerability pack this week with a series of security stumbles.
With the assistance of Rapid7 security researchers, Adobe determined it issued an incomplete fix for an access control bypass in ColdFusion that, when chained with a subsequent vulnerability, led to active exploitation.
It breaks down like this: Researchers from Project Discovery published an exploit for what Rapid7 said PD likely thought was for a deserialization of untrusted data exploit in ColdFusion patched by Adobe on July 11. PD actually found a new vulnerability necessitating another patch on July 14.
Unfortunately, the patch deployed in July 11 was incomplete and allowed it to be chained with the exploit patched on July 14, so a third patch has been issued. Best to update now.
Other serious vulns reported this week:
- CVSS 10.0 – Multiple CVEs: Iagona's ScrutisWeb software, used for monitoring fleets of ATMs, contains multiple vulnerabilities that could allow an attacker to upload and execute arbitrary files.
- CVSS 9.8 – CVE-2023-3638: The GV-ADR2701 model of GeoVision security cameras has an issue on the login page that an attacker could exploit by editing the login response to gain access to the camera's web app.
- CVSS 8.1 – Multiple CVEs: KingHistorian time-series databases made by WellinTech contain a pair of vulnerabilities that an attacker could use to send malicious data and disclose sensitive info.
Just a pair of new known exploited vulnerabilities this week, but they're quite high profile:
- CVSS 9.8 – CVE-2023-3519: Attackers are actively exploiting a remote code execution vulnerability in Citrix Gateway and ADC identified by the company and patched on July 18.
- CVSS 8.8 – CVE-2023-36884: Microsoft said it's investigating a series of RCE vulnerabilities in Office and Windows products that are under active exploit via malicious Office documents.
Amazon agrees to pay $25 million to settle Alexa COPPA violations
The US Department of Justice said this week that it had reached an agreement with Amazon regarding its alleged violations of the Children's Online Privacy Protection Act (COPPA).
The settlement stems from charges that Amazon had a policy of retaining voice recordings of those under the age of 13 indefinitely by default – which violates COPPA rules – among other privacy violations.
Amazon agreed to pay the DoJ $25 million, or 0.78 percent of its Q1 2023 profit, to settle the issue without admitting or denying responsibility. Along with the pittance of a fine, Amazon has agreed to delete inactive child profiles, stop misrepresenting its Alexa recording retention policy and to report to the DoJ on its compliance with the orders for the next decade.
The suit, which was brought in late May, extracted a bargain from Amazon as soon as it was filed. Writing on the same day the accusations came to light, Amazon said it disagreed with the FTC's claims, but was still settling to put the matter behind it.
"We will continue to invent more privacy features on behalf of our customers and ensure they are aware of the controls and options available to them," Amazon said, as ordered.
Cyber security labels coming soon to US smart tech
Proposed by Federal Communications Commission chairwoman Jessica Rosenworcel, The Cyber Trust Mark could begin appearing on smart fridges, microwaves, TVs, climate control systems, fitness trackers and other devices as soon as next year.
"This new labeling program would help provide Americans with greater assurances about the cyber security of the products they use and rely on in their everyday lives," The White House said in a statement. "It would also be beneficial for businesses, as it would help differentiate trustworthy products in the marketplace."
The actual plan for implementing the Cyber Trust Mark is forthcoming, with the FCC still to introduce proposed rules for public comment.
What a device will need to do in order to qualify is also still to be defined. The Biden administration said the voluntary program would be based on cyber security criteria from the National Institute of Standards and Technology and may include "unique and strong default passwords, data protection, software updates, and incident detection capabilities." ®