Ava-549: Google Cloud Identity-Aware Proxy (IAP) issue impacting Ava Security Cloud Deployments

Release Date

23rd September 2021.

Overview

This is a dual advisory covering the impact to both Reveal and Aware product lines On 17th September at 12 PM Pacific Time (19:00 GMT), Google Cloud published a security bulletin regarding their Identity-Aware Proxy (IAP). The bulletin reports a vulnerability, where a phishing attack could be used to gain temporary access to resources protected by the IAP. More information can be found about this issue on Google's Security Bulletins page. https://cloud.google.com/support/bulletins#gcp-2021-020 Google contacted Ava Security on 13th September after discovering the issue, and assisted in ensuring the security and integrity of our cloud-deployed systems. Following Google's instructions, we reviewed our internal logs and were unable to find any indication that the attack was used against our cloud systems. Additionally, before the public release of this vulnerability, we worked with Google Cloud to deploy the recommended mitigations across our Reveal and Aware product lines, including all of our internal systems. These changes followed Ava Security's internal on-call and security incident Response procedures. All changes were reviewed by the security team and two cloud primaries before they went live on 14th September at 4:00 AM GMT.

Affected Products

• Reveal Cloud: before 14th September 2021. [MSSP Portal]

Unaffected Products

• Reveal Infrastructure:
  • All versions
• Reveal Agent:
  • All versions
• Ava Cloud [DMP Portal]:
  • All versions
• Ava Aware:
  • All Stable upgrade channel versions
  • All Beta upgrade channel versions
• Ava cameras:
  • All Stable upgrade channel versions
  • All Beta upgrade channel versions

Resolution

The Google Cloud team deployed an official fix to the IAP on 17th September.

Vulnerability Information

Google Cloud have not published an associated CVE number. The issue is being tracked with the Google Cloud Identifier of: GCP-2021-020. CVSSv3 scores are best estimates made by the Ava Security Team and may be subject to change.

• CVE: GCP-2021-020
• CVSSv3 score: 8.0 (High)
• CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Mitigations

The Ava Security Team deployed the Google Cloud recommended mitigations on 14th September at 4:00 AM GMT to all internal and customer-facing instances. All development systems behind the IAP require a secondary layer of authentication backed by SAML or alternative login systems, so a successful exploit would not have been sufficient to give access to any Ava internal deployment. These systems are also limited by our RBAC to only the relevant users, reducing the scope of users affected.

Workarounds

There are no known workarounds for this issue.

Acknowledgements

Issue was found through the Google Cloud Vulnerability Reward Program. The Google Cloud Security team then reported the issue to Ava Security.

Disclosure Timeline

• 13/09/2021 09:13 - Google informed Ava Security of a possible security issue with IAP
• 13/09/2021 12:30 - Ava Security compiled a list of all possibly affected internal and external endpoints utilizing IAP
• 13/09/2021 18:00 - Meeting between Google and Ava Security to discuss further details about the issue
• 13/09/2021 18:30 - Google provided Ava Security with a Customer playbook and Mitigation steps for Identity-Aware Proxy (IAP)
• 13/09/2021 19:00 - Ava Security began reviewing logs following the Google provided search parameters
• 13/09/2021 20:00 - Ava Security incident response team confirmed some internal systems were vulnerable to the exploit
• 13/09/2021 20:00 - Ava Security Reveal team confirmed the MSSP portal was vulnerable to the exploit
• 13/09/2021 20:00 - Ava Security completed a review of our logs. Ava Security services have NOT been exploited using the vulnerability.
• 14/09/2021 02:07 - Ava Security deployed mitigations across all internal and external product lines
• 14/09/2021 09:16 - Ava Security Aware team confirmed all products in the Aware product line was NOT vulnerable to the exploit.
• 14/09/2021 10:00 - Ava Security internal meeting to confirm mitigations were correctly deployed
• 14/09/2021 16:14 - Ava Security deployed an internal change to extend logging and further mitigations deployed
• 17/09/2021 - Google publicly disclosed Vulnerability
• 22/09/2021 - Ava publicly disclosed Vulnerability