Full Report
Unit 42 uncovers a "double agent" flaw in Google Cloud's Vertex AI, demonstrating how overprivileged AI agents can compromise cloud environments. The post Double Agents: Exposing Security Blind Spots in GCP Vertex AI appeared first on Unit 42.
Analysis Summary
# Vulnerability: Privilege Escalation and Data Exfiltration via Overprivileged Vertex AI Agents
## CVE Details
- **CVE ID:** N/A (Google Cloud vulnerabilities are generally tracked via internal identifiers rather than public CVEs; however, it is recognized as a critical design flaw/security bypass).
- **CVSS Score:** Estimated 8.8 (High) - based on the potential for lateral movement and full environmental compromise.
- **CWE:** CWE-269 (Improper Privilege Management), CWE-918 (Server-Side Request Forgery).
## Affected Systems
- **Products:** Google Cloud Platform (GCP) Vertex AI.
- **Versions:** All versions prior to the September 2024 security updates.
- **Configurations:** Google Cloud projects with Vertex AI "Extensions" or "Search and Conversation" enabled, specifically those utilizing the default **Vertex AI Service Agent** or custom service accounts with excessive permissions.
## Vulnerability Description
The flaw involves a "Double Agent" scenario where a threat actor manipulates an AI agent's "Tools" or "Extensions." Vertex AI allows models to interact with the real world via API calls. Unit 42 researchers found that:
1. **Overprivileged Service Accounts:** By default, Vertex AI agents often run with broad permissions designed for ease of use.
2. **Tool Manipulation:** An attacker can provide a malicious OpenAPI specification to a Vertex AI Extension.
3. **SSRF and Lateral Movement:** The agent can be coerced into making unauthorized requests to internal GCP metadata services (IMDS) or internal APIs. Because the agent acts with the identity of the service account, it can exfiltrate sensitive data, modify cloud resources, or move laterally within the GCP environment.
## Exploitation
- **Status:** PoC available (demonstrated by Unit 42 researchers). No known exploitation in the wild at the time of publication.
- **Complexity:** Medium (Requires knowledge of OpenAPI specs and Prompt Injection/Insecure Output Handling).
- **Attack Vector:** Network (Remote via the Vertex AI API or Management Console).
## Impact
- **Confidentiality:** High (Access to sensitive data stored in buckets, BigQuery, or internal metadata).
- **Integrity:** High (Ability to modify or delete cloud infrastructure and data).
- **Availability:** High (Potential to shut down services or delete critical resources).
## Remediation
### Patches
- **Google-side Update:** Google has implemented backend mitigations to prevent AI Extensions from accessing the GCP Instance Metadata Service (IMDS) and other sensitive internal endpoints.
- **Improved Logging:** Google enhanced audit logging for Vertex AI Extension calls to provide better visibility.
### Workarounds
- **Principle of Least Privilege:** Replace the default Vertex AI Service Agent with a user-managed Service Account (UMSA) granted only the specific permissions required for the task.
- **Network Controls:** Use VPC Service Controls (VPC-SC) to define a security perimeter around sensitive data and AI resources.
- **Input Validation:** Strictly validate and sanitize OpenAPI specifications used for tool calling.
## Detection
- **Indicators of Compromise:**
- Unexpected API calls from the `[email protected]` identity.
- Outbound HTTP requests from Vertex AI instances to unknown external domains (exfiltration points).
- **Detection Methods:**
- Monitor Cloud Audit Logs for `google.cloud.aiplatform.v1.ExtensionService` operations.
- Analyze `data_access` logs for unusual access patterns to Cloud Storage or Secret Manager by AI service accounts.
## References
- **Unit 42 Original Report:** hxxps[://]unit42[.]paloaltonetworks[.]com/double-agents-vertex-ai/
- **Google Cloud Vertex AI Security Documentation:** hxxps[://]cloud[.]google[.]com/vertex-ai/docs/general/security
- **Google AI Security Posture:** hxxps[://]cloud[.]google[.]com/security/infrastructure/design/ai-security-concepts