Cloud security is so complex that even cloud providers get it wrong sometimes - one simple faulty command argument by Google Cloud Platform (GCP) was enough to enable us to find a critical RCE vulnerability (dubbed 'CloudImposer') in GCP customers' workloads and Google's internal production servers, affecting millions of cloud servers. To further emphasize the point of complexity, I will also reveal a privilege escalation vulnerability we discovered in GCP that stemmed from the deployment of services with dangerous defaults by GCP themselves.

I will start the talk by sharing the thrilling process of discovering the CloudImposer vulnerability, including getting hundreds of DNS requests from internal Google servers, until a PyPI guardrail stopped us.

However, this talk is about more than just a vulnerability. This investigation led to some unique research insights about cloud services:

1. Supply chain vulnerabilities in the cloud are on steroids. Instead of one malicious package affecting one server, one malicious package affects a service that is deployed to millions.
2. Cloud providers build their services like Jenga towers. They use their core services as the foundation of more popular customer-facing offerings. For example, one click to create a Cloud Function service creates resources in six different services. This exposes customers to a larger attack surface and risks.

The next part of the talk will dive deep into the vulnerable GCP Cloud Functions deployment flow. I will showcase the vulnerability I found in this flow and present a simple tool we built, newly available to the community, to find the hidden APIs that are called by the cloud provider when performing an action.

By the end of this talk, the audience will learn the dangers of treating cloud services like a black box - and get the right tools and ideas for looking inside it.

Liv Matan

Vulnerability Researcher, Tenable

Liv Matan is a Senior Security Researcher at Tenable, where he specializes in application and web security. As a bug bounty hunter, Liv has found several vulnerabilities in popular software platforms, such as Azure, Google Cloud, AWS, Facebook, and Gitlab, was recognized as Microsoft's Most Valuable Researcher, and presented at conferences such as DEF CON Cloud Village and fwd:cloudsec. You can follow Liv on X @terminatorlmProfessional title- Vulnerability Researcher

Derek Garcia

Research Analyst, Chainguard

Derek is a researcher at Chainguard and a Ph.D student at the University of Hawai'i. He first became involved in supply chain security working with Software Bill of Materials and Vulnerability Exposure documents. He has participated in several CISA SBOM working groups, as well as reviewing and developing open-source SBOM tooling. His research now focuses on exploring the applications of formal verification, profiling of nation-state threat actors, and AI within the context of supply chain security. At Chainguard, Derek brings his research expertise to help find new ways to secure the software supply chain.

Steve Paul

Moderator

Black Hat