{"id":2186,"date":"2023-12-12T19:35:00","date_gmt":"2023-12-12T19:35:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud-security\/google-cloud-dataproc-abuse-risk-corporate-data-stores"},"modified":"2023-12-12T19:35:00","modified_gmt":"2023-12-12T19:35:00","slug":"google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/12\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores\/","title":{"rendered":"Google Cloud’s ‘Dataproc’ Abuse Risk Endangers Corporate Data Stores"},"content":{"rendered":"
<\/a><\/div>\n

Lackluster security controls in one of Google’s cloud services for data scientists could allow hackers to create applications, execute operations, and access data in Internet-facing environments.<\/span><\/p>\n

The issue lies with Google Cloud’s “Dataproc,” a managed service for running large-scale data processing and analytics workloads via Apache Hadoop, Spark, and more than 30 other open source tools and frameworks.<\/span><\/p>\n

A so-called “abuse risk” to Dataproc, <\/span>outlined by the Orca Research Pod on Dec. 12<\/a><\/span>, rests on the presence of two default open firewall ports used by Dataproc. If an attacker is able to achieve initial <\/span>server compromise in an exposed cloud environment<\/a><\/span> (through a common misconfiguration, say), they could take advantage of missing security checks to reach connected resources, such as data scientists’ <\/span>reams of sensitive data<\/a><\/span>. They could also toy with their cloud environments in myriad other ways.<\/span><\/p>\n

“One can imagine that the data used for analysis is likely to contain proprietary as well as sensitive data, which, if breached could provide bad actors with customer data, business intelligence, and other data that could be used for competitive intelligence,” says Roi Nisimi, cloud threat researcher at Orca Security.<\/span><\/p>\n

Exposed Dataproc in Default Private Cloud<\/span><\/h2>\n

Dataproc’s issues begin with the fact that its two Web interfaces used for every master node \u2014 YARN ResourceManager on port 8088 and Apache’s Hadoop Distributed File System (HDFS) NameNode on port 9870 \u2014 don’t require any authentication.<\/span><\/p>\n

“The two ports mentioned above are served for all addresses,” according to Orca. “Which means to fully access them, the one single prerequisite is Internet access. So one not properly segmented cluster can cause great damage.”<\/span><\/p>\n

As for the specific potential attack path, the researchers note that it’s “fairly simple.” <\/span><\/p>\n

\"Google<\/p>\n

Source: Orca Security<\/p>\n<\/div>\n

Google Cloud comes packaged with a default virtual private cloud (VPC) called Compute Engine, which, while limiting most inbound connections, does not limit any connections within an organization’s internal subnetwork. So, if an attacker can breach and execute code in the default VPC \u2014 say, if it’s left open to the Internet \u2014 they have a path to access Dataproc clusters because those two interfaces are left open by default.<\/span><\/p>\n

“The attacker can now tunnel through the compromised machine to access both Web interfaces,” the researchers explained. “They can use the YARN endpoint to create applications, submit jobs and perform <\/span>Cloud Storage operations<\/a><\/span>. … Or worse, they can use the HDFS endpoint to browse through the storage file system and obtain full access to sensitive data.”<\/span><\/p>\n

The upshot, as researchers explained: “Having an Internet-facing remote code execution (RCE) \u2014 vulnerable Compute Engine instance is not farfetched.”<\/span><\/p>\n

The researchers brought their findings to Google, but the issue has not yet been resolved. Google also has not responded to Dark Reading’s request for comment on this story.<\/span><\/p>\n

Nisimi says that Google could implement a fix rather easily. \u201cPotential solutions would prevent unauthenticated access to the cluster Web interfaces,\u201d he explains. \u201cFor example, Google could enable authentication by default in the underlying open source software (OSS) managed solution, so that GCP Dataproc only allows authenticated access.\u201d<\/span><\/p>\n

Orca did acknowledge that <\/span>Google’s Dataproc documentation<\/a><\/span> highlights this potential security risk and suggests avoiding open firewall rules on a public network, but “they don\u2019t take into account the risk of an attacker already having an initial foothold on a Compute Engine instance \u2014 which would give them unauthenticated access to GCP Dataproc as well,” according to the Orca post.<\/span><\/p>\n

Avoiding Cyber-Risk in Exposed Dataproc<\/span><\/h2>\n

To address such possibilities, the researchers recommended that Dataproc admins practice effective vulnerability management and properly segment their networks by creating independent clusters in different subnets, without cross-contamination with other services. Admins can also adjust firewall rules, or move to other VPCs.<\/span><\/p>\n

Unless Google itself implements some sort of fix, the researchers wrote, “it\u2019s up to organizations themselves to ensure that their GCP Dataproc clusters are not configured in a way that makes them vulnerable.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Lackluster security controls in one of Google’s cloud services for<\/p>\n","protected":false},"author":12,"featured_media":2187,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2186","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?fit=2560%2C1709&ssl=1",2560,1709,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?fit=300%2C200&ssl=1",300,200,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?fit=640%2C428&ssl=1",640,428,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?fit=640%2C428&ssl=1",640,428,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?fit=1536%2C1025&ssl=1",1536,1025,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?fit=2048%2C1367&ssl=1",2048,1367,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?fit=1024%2C684&ssl=1",1024,684,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/google-clouds-dataproc-abuse-risk-endangers-corporate-data-stores-scaled.jpg?fit=2560%2C1709&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2186"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2186\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2187"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}