The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and more)
Unknown
Black Hat USA 2024 · Day 1 · Briefing
In this compelling Black Hat USA talk, Liv Matan, a Senior Security Researcher at Tenable and recognized as Microsoft's Most Valuable Researcher, unveiled two critical vulnerabilities impacting Google Cloud Platform (GCP): **CloudImposer** and **Confused Function**. Matan introduced the "Jenga" concept, illustrating how major cloud providers build services atop one another, inadvertently creating interconnected attack surfaces ripe for privilege escalation and novel vulnerabilities. The talk detailed how a specific instance of **dependency confusion** within GCP Composer, a managed Apache Airflow service, allowed for code execution on internal Google servers, potentially affecting millions of instances.