Tuesday , June 3 2025
Google

Alert! Google Fixes GCP Composer Flaw

Tenable Research found and fixed a remote code execution (RCE) vulnerability, called CloudImposer, in Google Cloud Platform (GCP). This flaw could have let attackers hijack a pre-installed software dependency in Google Cloud Composer. Additionally, Tenable identified concerning guidance in GCP documentation that customers should note.

The Hacker News reported, quoted with security researcher Liv Matan that, “The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool,”.

Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks

Qualcomm has issued security patches for three zero-day vulnerabilities in the Adreno GPU driver, affecting many chipsets that are being...
Read More
Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks

Critical RCE Flaw Patched in Roundcube Webmail

Roundcube Webmail has fixed a critical security flaw that could enable remote code execution after authentication. Disclosed by security researcher...
Read More
Critical RCE Flaw Patched in Roundcube Webmail

Hacker claim Leak of Deloitte Source Code & GitHub Credentials

A hacker known as "303" claim to breach the company's systems and leaked sensitive internal data on a dark web...
Read More
Hacker claim Leak of Deloitte Source Code & GitHub Credentials

CISA Issued Guidance for SIEM and SOAR Implementation

CISA and ACSC issued new guidance this week on how to procure, implement, and maintain SIEM and SOAR platforms. SIEM...
Read More
CISA Issued Guidance for SIEM and SOAR Implementation

Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora

The Qualys Threat Research Unit (TRU) found two local information-disclosure vulnerabilities in Apport and systemd-coredump. Both issues are race-condition vulnerabilities....
Read More
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora

Australia enacts mandatory ransomware payment reporting

New ransomware payment reporting rules take effect in Australia yesterday (May 30) for all organisations with an annual turnover of...
Read More
Australia enacts mandatory ransomware payment reporting

Why Govt Demands Foreign CCTV Firms to Submit Source Code?

Global makers of surveillance gear have clashed with Indian regulators in recent weeks over contentious new security rules that require...
Read More
Why Govt Demands Foreign CCTV Firms to Submit Source Code?

CVE-2023-39780
Botnet hacks thousands of ASUS routers

GreyNoise has discovered a campaign where attackers have gained unauthorized access to thousands of internet-exposed ASUS routers. This seems to...
Read More
CVE-2023-39780  Botnet hacks thousands of ASUS routers

Bangladesh Bank instructed using AI to prevent online gambling

The rise of online gambling in the country is leading to increased crime and societal issues. In response, the central...
Read More
Bangladesh Bank instructed using AI to prevent online gambling

251 Amazon-Hosted IPs Used in Exploit Scan for ColdFusion, Struts, and Elasticsearch

Cybersecurity researchers recently revealed a coordinated cloud-based scanning attack that targeted 75 different exposure points earlier this month. On May...
Read More
251 Amazon-Hosted IPs Used in Exploit Scan for ColdFusion, Struts, and Elasticsearch

A threat actor could launch a major supply chain attack by releasing a fake package in a public repository that matches the name of an internally developed package but has a higher version number.

This leads the package manager to accidentally download a malicious package from the public repository instead of the private one, replacing the legitimate package with the harmful version.

The problem identified by Tenable is similar in that it could be abused to upload a malicious package to the Python Package Index (PyPI) repository with the name “google-cloud-datacatalog-lineage-producer-client,” which could then be preinstalled on all Composer instances with elevated permissions.

While Cloud Composer requires that the package in question is version-pinned (i.e., version 0.1.0), Tenable found that using the “–extra-index-url” argument during a “pip install” command prioritizes fetching the package from the public registry, thereby opening the door to dependency confusion.

With this access, attackers can run code, steal service account credentials, and move around to other GCP services within the victim’s environment.

After responsible disclosure on January 18, 2024, Google fixed the issue in May 2024 by restricting the package installation to a private repository and adding checksum verification to ensure integrity and prevent tampering.

The Python Packaging Authority (PyPA) is said to have been aware of the risks posed by the “–extra-index-url” argument since at least March 2018, urging users to skip using PyPI in cases where the internal package needs to be pulled.

“Packages are expected to be unique up to name and version, so two wheels with the same package name and version are treated as indistinguishable by pip,” a PyPA member noted at the time. “This is a deliberate feature of the package metadata, and not likely to change.”

Google, as part of its fix, now also recommends that developers use the “–index-url” argument instead of the “–extra-index-url” argument and that GCP customers make use of an Artifact Registry virtual repository when requiring multiple repositories.

“The ‘–index-url’ argument reduces the risk of dependency confusion attacks by only searching for packages in the registry that was defined as a given value for that argument,” Matan said.

Source: (Tenable, the hacker news)

Check Also

core dump

Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora

The Qualys Threat Research Unit (TRU) found two local information-disclosure vulnerabilities in Apport and systemd-coredump. …

Leave a Reply

Your email address will not be published. Required fields are marked *