



Infosec overview According to researchers at Orca Security, a security vulnerability in Google Cloud Build could allow attackers to modify an organization’s code repositories and application images.

The company’s Research Pod today released details about a “critical” flaw that could have been exploited to accomplish supply chain attacks similar to SolarWinds and more recently MOVEit, warning that it could have “widespread impact.”

According to Orca researcher Roi Nisimi, after information about the vulnerability reached Chocolate Factory, Google deployed a fix, but it didn’t fully address the issue.

“This only limits it from becoming a design flaw, leaving the organization still vulnerable to greater supply chain risks,” Nishimi said. “Security teams should take additional measures to protect against this risk.”

As explained by Google, the issue is due to poorly defined permissions.

As an automation service, Cloud Build uses service accounts to authenticate requests made during builds.

As Orca researchers discovered, when someone enables the Cloud Build API on a project, the product automatically creates a default service account for running builds. Until June, this included a flaw that gave builds access to a private audit log showing the full list of all permissions for a project.

When asked about Orca’s claim that this provided only a partial fix, a Google spokesperson offered little explanation to The Register, saying only that the Vulnerability Rewards program exists to find such issues and that it appreciates Orca’s cooperation.

But will Goog roll out further fixes for this bug?

“We thanked the researchers for their efforts and have incorporated fixes based on their reports outlined in a security bulletin published in early June,” Google told us. Accept that as a no.

Until then, it’s up to you, IT leaders.

“It is important that organizations pay close attention to the behavior of the default Google Cloud Build service account,” said Nishimi, adding that applying the principle of least privilege is essential to reducing organizational risk.

Critical Vulnerabilities of the Week

Adobe is leading a critical vulnerability pack in a series of security blunders this week.

With the help of Rapid7 security researchers, Adobe has issued an incomplete fix for ColdFusion’s access control bypass, determined to lead to active exploitation when chained with subsequent vulnerabilities.

The breakdown is as follows. Researchers at Project Discovery released an exploit that Rapid7 said PD likely thought was due to deserialization of untrusted data exploits in ColdFusion patched by Adobe on July 11th. PD actually discovered a new vulnerability on July 14th that required another patch.

Unfortunately, the patch deployed on July 11th was incomplete and could chain with the exploit patched on July 14th, so a third patch was issued. Best to update now.

Other serious vulnerabilities reported this week:

CVSS 10.0 Multiple CVEs: Iagona’s ScrutisWeb software used for ATM monitoring contains multiple vulnerabilities that may allow an attacker to upload and execute arbitrary files. CVSS 9.8 CVE-2023-3638: His GV-ADR2701 model of GeoVision security camera has an issue with the login page that could be exploited by an attacker by editing the login response and accessing the camera’s web app. CVSS 8.1 Multiple CVEs: The KingHistorian Time Series Database produced by WellinTech contains two vulnerabilities that could be used by an attacker to submit malicious data or disclose sensitive information.

Also, Oracle and Atlassian released monthly patches this week to address some critical issues.

There were two new known vulnerabilities being exploited this week, and they are very high profile.

CVSS 9.8 CVE-2023-3519: Attackers were actively exploiting remote code execution vulnerabilities in Citrix Gateway and ADC, which the company identified and patched on July 18th. CVSS 8.8 CVE-2023-36884: Microsoft said it was investigating a series of RCE vulnerabilities in its Office and Windows products that were being exploited via malicious Office documents. Amazon agrees to pay $25 million to fix Alexa’s COPPA violations

The Justice Department announced this week that it had reached an agreement with Amazon over alleged violations of the Children’s Online Privacy Protection Act (COPPA).

The settlement stems from allegations that Amazon has a default policy of retaining voice recordings of people under the age of 13 indefinitely, violating COPPA rules among other privacy violations.

Without admitting or denying responsibility, Amazon agreed to pay the Department of Justice $25 million, equal to 0.78% of its first quarter 2023 earnings, to settle the matter. Along with small fines, Amazon agreed to delete inactive child profiles, stop misrepresenting Alexa’s recording retention policy, and report to the Justice Department on its compliance with orders over the next 10 years.

The lawsuit, filed in late May, extracted bargains from Amazon as soon as it was filed. In a written statement the same day the allegations came to light, Amazon said it disagreed with the FTC’s allegations but still intended to shelve the matter.

“We will continue to invent more privacy features on behalf of our customers to ensure they are aware of the controls and options available to them,” Amazon said in a statement.

Cybersecurity label coming soon to US smart tech

The Biden administration announced plans this week to introduce the U.S. Cybertrustmark to smart devices called Energy Stars, but connected to the Internet.

Cybertrustmarks, proposed by Federal Communications Commission Chairman Jessica Rosenworthel, could start appearing on devices like smart refrigerators, microwave ovens, TVs, air conditioning systems and fitness trackers as early as next year.

“This new labeling program will help provide greater assurance about the cybersecurity of the products Americans use and depend on in their daily lives,” the White House said in a statement. “It’s also beneficial for companies because it helps differentiate reliable products in the market.”

The actual plans to introduce Cybertrustmark will be announced soon, but the FCC will still submit draft rules for public comment.

What a device must do to qualify is also not yet defined. The Biden administration said the voluntary program is based on National Institute of Standards and Technology cybersecurity standards and may include “unique and strong default passwords, data protection, software updates and incident detection capabilities.”

