Infosec in brief A security weakness in Google Cloud Build could have allowed attackers to tamper with organizations’ code repositories and application images, according to Orca Security researchers.

The firm’s Research Pod today published details about a “critical” flaw, and warned that it could have been exploited to achieve a supply-chain attack along the lines of SolarWinds – or, more recently, MOVEit – with “far reaching consequences.”

After word of the vulnerability reached the Chocolate Factory, Google deployed a fix – though it doesn’t fully address the issue, according to Orca researcher Roi Nisimi. 

“It only limits it – turning it into a design flaw that still leaves organizations vulnerable to the larger supply chain risk,” Nisimi said. “It requires security teams to put further measures in place to protect against this risk.”

The issue, as Google describes it, is more about poorly defined permissions.

Cloud Build, as an automation service, uses service accounts to authenticate requests made during a build. 

As Orca researchers discovered, if someone enables the Cloud Build API in a project, the product automatically creates a default service account to execute builds. Up until June, this contained a flaw that gave builds access to the private audit logs showing a complete list of all permissions on the project.

When asked about Orca’s claim that this only provided a partial fix, a Google spokesperson gave The Register little in the way of explanation – saying only that its vulnerability rewards program exists to find those sorts of issues, and that it appreciates Orca’s help. 

But will Goog deploy a further fix for the bug?

“We appreciate the work of the researchers and have incorporated a fix based on their report as outlined in a security bulletin issued in early June,” Google told us. We’ll take that as a no.

In the meantime, it’s on you, IT leaders.

“It’s … important that organizations pay close attention to the behavior of the default Google Cloud Build service account,” Nisimi said, adding that applying the principle of least privilege is vital to reducing an organization’s risk. 

Critical vulnerabilities of the week

Adobe leads the critical vulnerability pack this week with a series of security stumbles. 

With the assistance of Rapid7 security researchers, Adobe determined it issued an incomplete fix for an access control bypass in ColdFusion that, when chained with a subsequent vulnerability, led to active exploitation. 

It breaks down like this: Researchers from Project Discovery published an exploit for what Rapid7 said PD likely thought was for a deserialization of untrusted data exploit in ColdFusion patched by Adobe on July 11. PD actually found a new vulnerability necessitating another patch on July 14. 

Unfortunately, the patch deployed in July 11 was incomplete and allowed it to be chained with the exploit patched on July 14, so a third patch has been issued. Best to update now. 

Other serious vulns reported this week: 

  • CVSS 10.0 – Multiple CVEs: Iagona’s ScrutisWeb software, used for monitoring fleets of ATMs, contains multiple vulnerabilities that could allow an attacker to upload and execute arbitrary files. 
  • CVSS 9.8 – CVE-2023-3638: The GV-ADR2701 model of GeoVision security cameras has an issue on the login page that an attacker could exploit by editing the login response to gain access to the camera’s web app.
  • CVSS 8.1 – Multiple CVEs: KingHistorian time-series databases made by WellinTech contain a pair of vulnerabilities that an attacker could use to send malicious data and disclose sensitive info.

Also, both Oracle and Atlassian released monthly patches this week to address several critical issues.

Just a pair of new known exploited vulnerabilities this week, but they’re quite high profile:

  • CVSS 9.8 – CVE-2023-3519: Attackers are actively exploiting a remote code execution vulnerability in Citrix Gateway and ADC identified by the company and patched on July 18. 
  • CVSS 8.8 – CVE-2023-36884: Microsoft said it’s investigating a series of RCE vulnerabilities in Office and Windows products that are under active exploit via malicious Office documents.

Amazon agrees to pay $25 million to settle Alexa COPPA violations

The US Department of Justice said this week that it had reached an agreement with Amazon regarding its alleged violations of the Children’s Online Privacy Protection Act (COPPA). 

The settlement stems from charges that Amazon had a policy of retaining voice recordings of those under the age of 13 indefinitely by default – which violates COPPA rules – among other privacy violations.

Amazon agreed to pay the DoJ $25 million, or 0.78 percent of its Q1 2023 profit, to settle the issue without admitting or denying responsibility. Along with the pittance of a fine, Amazon has agreed to delete inactive child profiles, stop misrepresenting its Alexa recording retention policy and to report to the DoJ on its compliance with the orders for the next decade. 

The suit, which was brought in late May, extracted a bargain from Amazon as soon as it was filed. Writing on the same day the accusations came to light, Amazon said it disagreed with the FTC’s claims, but was still settling to put the matter behind it.

“We will continue to invent more privacy features on behalf of our customers and ensure they are aware of the controls and options available to them,” Amazon said, as ordered.

Cyber security labels coming soon to US smart tech

The Biden administration announced plans this week to introduce a US Cyber Trust Mark for smart devices – think Energy Star, but for internet-connected devices.

Proposed by Federal Communications Commission chairwoman Jessica Rosenworcel, The Cyber Trust Mark could begin appearing on smart fridges, microwaves, TVs, climate control systems, fitness trackers and other devices as soon as next year. 

“This new labeling program would help provide Americans with greater assurances about the cyber security of the products they use and rely on in their everyday lives,” The White House said in a statement. “It would also be beneficial for businesses, as it would help differentiate trustworthy products in the marketplace.”

The actual plan for implementing the Cyber Trust Mark is forthcoming, with the FCC still to introduce proposed rules for public comment. 

What a device will need to do in order to qualify is also still to be defined. The Biden administration said the voluntary program would be based on cyber security criteria from the National Institute of Standards and Technology and may include “unique and strong default passwords, data protection, software updates, and incident detection capabilities.” ®