BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 – A extreme design flaw in Google Workspace’s domain-wide delegation function found by risk searching consultants from Hunters’ Staff Axon, can enable attackers to misuse current delegations, enabling privilege escalation and unauthorized entry to Workspace APIs with out Tremendous Admin privileges. Such exploitation might lead to theft of emails from Gmail, knowledge exfiltration from Google Drive, or different unauthorized actions inside Google Workspace APIs on all the identities within the goal area. Hunters has responsibly disclosed this to Google and labored carefully with them previous to publishing this analysis.
Area-wide delegation permits a complete delegation between Google Cloud Platform (GCP) identification objects and Google Workspace purposes. In different phrases, it permits GCP identities to execute duties on Google SaaS purposes, corresponding to Gmail, Google Calendar, Google Drive, and extra, on behalf of different Workspace customers.
The design flaw, which the staff at Hunters has dubbed “DeleFriend,” permits potential attackers to control current delegations in GCP and Google Workspace with out possessing the high-privilege Tremendous Admin function on Workspace, which is crucial for creating new delegations. As a substitute, with much less privileged entry to a goal GCP mission, they will create quite a few JSON internet tokens (JWTs) composed of various OAuth scopes, aiming to pinpoint profitable mixtures of personal key pairs and approved OAuth scopes which point out that the service account has domain-wide delegation enabled.
The foundation trigger lies in the truth that the area delegation configuration is decided by the service account useful resource identifier (OAuth ID), and never the precise personal keys related to the service account identification object.
Moreover, no restrictions for fuzzing of JWT mixtures have been carried out on the API stage, which doesn’t prohibit the choice of enumerating quite a few choices for locating and taking on current delegations.
This flaw poses a particular danger on account of potential impression described above and is amplified by the next:
- Lengthy Life: By default, GCP Service account keys are created with out an expiry date. This function makes them ultimate for establishing backdoors and guaranteeing long-term persistence.
- Simple to cover: The creation of recent service account keys for current IAMs or, alternatively, the setting of a delegation rule inside the API authorization web page is straightforward to hide. It’s because these pages usually host a big selection of authentic entries, which aren’t examined totally sufficient.
- Consciousness: IT and Safety departments could not at all times be cognizant of the domain-wide delegation function. They could particularly be unaware of its potential for malicious abuse.
- Arduous to detect: Since delegated API calls are created on behalf of the goal identification, the API calls will probably be logged with the sufferer particulars within the corresponding GWS audit logs. This makes it difficult to determine such actions.
“The potential penalties of malicious actors misusing domain-wide delegation are extreme. As a substitute of affecting only a single identification, as with particular person OAuth consent, exploiting DWD with current delegation can impression each identification inside the Workspace area,” says Yonatan Khanashvili of Hunters’ Staff Axon.
The vary of doable actions varies based mostly on the OAuth scopes of the delegation. As an illustration, e mail theft from Gmail, knowledge exfiltration from the drive, or monitor conferences from Google Calendar.
With a purpose to execute the assault methodology, a selected GCP permission is required on the goal Service Accounts. Nonetheless, Hunters noticed that such permission shouldn’t be an unusual apply in organizations making this assault approach extremely prevalent in organizations that don’t preserve a safety posture of their GCP assets. “By adhering to finest practices, and managing permissions and assets neatly, organizations can dramatically decrease the impression of the assault methodology” Khanashvili continued.
Hunters has created a proof-of-concept device (full particulars are included within the full analysis) to help organizations in detecting DWD misconfigurations, rising consciousness, and lowering DeleFriend’s exploitation dangers. Utilizing this device, crimson groups, pen testers, and safety researchers can simulate assaults and find susceptible assault paths of GCP IAM customers to current delegations of their GCP Tasks to guage (after which enhance) the safety danger and posture of their Workspace and GCP environments.
Hunters’ Staff Axon has additionally compiled complete analysis that lays out precisely how the vulnerability works in addition to suggestions for thorough risk searching, detection methods, and finest practices for countering domain-wide delegation assaults.
Hunters responsibly reported DeleFriend to Google as a part of Google’s “Bug Hunters” program in August, and are collaborating carefully with Google’s safety and product groups to discover applicable mitigation methods. Presently, Google has but to resolve the design flaw.
Learn the total analysis right here, and comply with Hunters’ Staff Axon on Twitter.
About Hunters
Hunters delivers a Safety Operations Middle (SOC) Platform that reduces danger, complexity, and price for safety groups. A SIEM different, Hunters SOC Platform offers knowledge ingestion, built-in and at all times up-to-date risk detection, and automatic correlation and investigation capabilities, minimizing the time to grasp and reply to actual threats. Organizations like Reserving.com, ChargePoint, Yext, Upwork and Cimpress leverage Hunters SOC Platform to empower their safety groups. Hunters is backed by main VCs and strategic buyers together with Stripes, YL Ventures, DTCP, Cisco Investments, Bessemer Enterprise Companions, U.S. Enterprise Companions (USVP), Microsoft’s enterprise fund M12, Blumberg Capital, Snowflake, Databricks, and Okta.
Contact
Yael Macias