Summary
The Document AI service unintentionally allows users to read any Cloud Storage object in the same project, in a way that isn't properly documented.
The Document AI service agent is auto-assigned with excessive permissions, allowing it to access all objects from Cloud Storage buckets in the same project.
Malicious actors can exploit this to exfiltrate data from Cloud Storage by indirectly leveraging the service agent's permissions.
This vulnerability is an instance of transitive access abuse, a class of security flaw where unauthorized access is gained indirectly
through a trusted intermediary.
Affected Services
Document AI, Cloud Storage
Remediation
Full remediation is not possible, but mitigating controls can be applied: use the Org Policy Constraint serviceuser.services
to prevent the enablement of the Document AI service when it's not needed and restrict the API usage with the Org Policy Constraint serviceuser.restrictServiceUsage.
Tracked CVEs
No tracked CVEs
References
https://www.vectra.ai/blog/transitive-access-abuse-data-exfiltration-via-document-aihttps://github.com/KatTraxler/document-ai-samples
Contributed by https://github.com/KatTraxler
Entry Status
Finalized
Disclosure Date
Thu, Apr 4th, 2024
Exploitablity Period
Ongoing, since the creation of the Document AI Service and its batch processing capabilities.
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Kat Traxler, Vectra AI
