high

Chronicle cross-customer bucket access

Published Tue, Sep 19th, 2023

Platforms

Summary

Customers can configure Chronicle to ingest data from customer-owned Cloud Storage buckets using an ingestion feed. Chronicle previously used a shared service account for all customers for granting permission to the bucket. Therefore, one customer's Chronicle instance could be configured to ingest data from another customer's Cloud Storage bucket. However, this required knowledge of the bucket URI.

Affected Services

Chronicle

Remediation

null

Tracked CVEs

No tracked CVEs

References

https://cloud.google.com/support/bulletins https://x.com/DoggoZW/status/1706290389974495650

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Tue, Sep 19th, 2023

Exploitability Period

until Sept 19, 2023

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

DoggoZW

More vulnerabilities...

high

AWS API Gateway Header Smuggling and Cache Confusion

Researchers at Omegapoint identified two issues in AWS API Gateway authorizers: 1) A header rewrite feature could be abused to bypass authorization by overwriting headers after the authorizer lambd...

OmegapointSep 19, 2023

low

AWS AppStream Cloudtrail Bypass

Credentials can be extracted from AppStream. When used, they obscure the sourceIP and userName of the initial user. The sourceIP appears as appstream.amazonaws.com.

Saransh Rana, CREDSep 11, 2023

critical

Power Platform Privilege Escalation in Azure AD

Secureworks researchers discovered an Azure AD application with an abandoned reply URL related to Microsoft Power Platform. An attacker could leverage this URL to redirect authorization codes, exch...

Secureworks Counter Threat ...Aug 24, 2023

View all