Flaw left Deployment Manager open to remote code execution attacks

UPDATED The discovery of a critical vulnerability in a component of Google Cloud has earned a security researcher a bumper $31,337 bug bounty payout.

Ezequiel Pereira, who boasts a back catalogue of research in this area, uncovered a security flaw in Google’s Cloud Deployment Manager that posed a remote code execution (RCE) risk.

A security flaw in the Google Cloud JSON API allowed the Uruguayan computer science student to specify internal services such as issuetracker.corp.googleapis.com and perform calls on these APIs using the gslbTarget parameter.

The security bug was paid out in full because potentially it could be used to get RCE on Google’s internal infrastructure.

Here’s the science bit

Deployment Manager is a Google Cloud service that offers a mechanism to handle resources’ creation, deletion, and modification through a given API. The vulnerability discovered by Pereira involves the interaction of this technology with Google’s Global Service Load Balancer (GSLB).

“By using an internal test (dogfood) version of Google Cloud Deployment Manager, I was able to issue some requests to some Google internal endpoints (through GSLB), which could have led to RCE,” Pereira explained in a summary added to his post in response to questions from The Daily Swig.

“This could be achieved through an request to the Deployment Manager with this format, which begins an async operation.”

He continued: “The operation attempts to send a GET request to the specified endpoint's descriptor URL, and expects a descriptor document as an answer.

“If it fails, it might still provide internal information in the error message, if it succeeds, it would allow more complex internal requests to be issued,” according to Pereira.

The issue was quickly fixed soon after Pereira reported the problem to Google on May 7. Pereira received a reward for his hack earlier this week, giving the green light to publish a detailed technical write-up of his research.

Google told The Daily Swig: "An external researcher through our Vulnerability Rewards Program recently reported a Remote Code Execution vulnerability in Cloud Deployment Manager. The issue has been fixed and our investigation found no evidence of abuse or active exploitation of the reported vulnerability.”

This story has been updated to add comment from Google.

RELATED XSS vulnerability uncovered in Google Voice browser extension