AI Security AI安全 2d ago Updated 2d ago 更新于 2天前 46

Google Dialogflow CX Bug Allowed Attackers to Hijack AI Conversations Google Dialogflow CX 漏洞允许攻击者劫持 AI 对话

A critical vulnerability named "Rogue Agent" in Google Cloud's Dialogflow CX allowed attackers to silently hijack conversational AI agents and exfiltrate sensitive data. The flaw stemmed from shared Cloud Run execution environments where malicious actors could overwrite key execution files using Python's `exec()` function to inject arbitrary code. Attackers bypassed VPC Service Controls via bidirectional communication channels and accessed Instance Metadata Service (IMDS) to steal Google-managed Google Cloud Dialogflow CX 存在名为 "Rogue Agent" 的高危漏洞,允许攻击者通过滥用 Code Blocks 功能接管同一项目下的所有代理。 漏洞根源在于共享的 Cloud Run 执行环境缺乏隔离,攻击者可利用 `exec()` 函数覆盖关键文件并注入恶意 Python 代码。 攻击者能静默窃取敏感对话数据、绕过 VPC Service Controls 建立双向通信通道,并利用 IMDS 获取服务账户令牌。 该漏洞导致会话劫持、钓鱼攻击及数据外泄,且由于修改不记录在日志中,攻击过程完全隐蔽。 Varonis 于 2025 年 11 月报告此漏洞,Goo

65
Hot 热度
60
Quality 质量
70
Impact 影响力

Analysis 深度分析

TL;DR

  • A critical vulnerability named "Rogue Agent" in Google Cloud's Dialogflow CX allowed attackers to silently hijack conversational AI agents and exfiltrate sensitive data.
  • The flaw stemmed from shared Cloud Run execution environments where malicious actors could overwrite key execution files using Python's exec() function to inject arbitrary code.
  • Attackers bypassed VPC Service Controls via bidirectional communication channels and accessed Instance Metadata Service (IMDS) to steal Google-managed service account tokens.
  • The vulnerability remained undetected because the file modifications were not logged, enabling persistent, invisible control over all agents within the same GCP project.
  • Google patched the issue initially in April and fully resolved it by June after receiving the report from Varonis in November 2025.

Why It Matters

This incident highlights severe security risks in enterprise-grade AI platforms that rely on serverless execution environments for custom logic. It demonstrates how misconfigurations in shared infrastructure can lead to catastrophic breaches of data integrity and confidentiality, particularly in sectors handling sensitive customer information.

Technical Details

  • Vulnerability Mechanism: The core issue involved the exec() function in Python being used to execute code blocks within a shared Cloud Run environment, allowing attackers to overwrite critical execution files.
  • Environment Sharing: All Dialogflow agents using Code Blocks within the same GCP project shared the same Cloud Run instance, meaning a compromise in one agent affected all others in that project.
  • Bypassing Security Controls: Attackers established bidirectional communication channels to external servers, effectively bypassing VPC Service Controls designed to enforce data perimeters.
  • Credential Theft: The Instance Metadata Service (IMDS) within the Cloud Run environment was exploited to retrieve access tokens for Google-managed service accounts, facilitating further unauthorized actions.
  • Stealth Tactics: The attack was undetectable through standard logging because the malicious file modifications did not generate log entries, ensuring silent persistence.

Industry Insight

  • Isolate Execution Environments: Organizations must ensure that custom code execution environments for AI agents are strictly isolated per tenant or project to prevent cross-contamination and lateral movement.
  • Audit Serverless Permissions: Regular audits of permissions in serverless services like Cloud Run are essential, particularly focusing on file system write access and metadata service exposure.
  • Enhance Logging and Monitoring: Implement comprehensive logging for code execution environments and monitor for anomalies in file modifications to detect stealthy attacks that bypass traditional security controls.

TL;DR

  • Google Cloud Dialogflow CX 存在名为 "Rogue Agent" 的高危漏洞,允许攻击者通过滥用 Code Blocks 功能接管同一项目下的所有代理。
  • 漏洞根源在于共享的 Cloud Run 执行环境缺乏隔离,攻击者可利用 exec() 函数覆盖关键文件并注入恶意 Python 代码。
  • 攻击者能静默窃取敏感对话数据、绕过 VPC Service Controls 建立双向通信通道,并利用 IMDS 获取服务账户令牌。
  • 该漏洞导致会话劫持、钓鱼攻击及数据外泄,且由于修改不记录在日志中,攻击过程完全隐蔽。
  • Varonis 于 2025 年 11 月报告此漏洞,Google 分别于 4 月和 6 月发布了初步补丁和完整修复方案。

为什么值得看

本文揭示了企业级 AI 平台在集成自定义代码执行功能时的严重安全设计缺陷,特别是多租户环境下的资源隔离问题。对于依赖 Dialogflow CX 处理敏感数据的金融、医疗等行业从业者而言,这是一次关于云原生 AI 应用安全审计的重要警示。

技术解析

  • 漏洞机制:Dialogflow CX 的 Playbook 允许嵌入自定义 Python 逻辑(Code Blocks),这些代码在 Google 管理的 Cloud Run 实例中运行。同一 GCP 项目下的所有使用 Code Blocks 的代理共享同一个 Cloud Run 执行环境。
  • 攻击向量:攻击者利用具有配置 Code Blocks 权限的单一代理,通过 Python 的 exec() 函数修改负责执行代码的关键文件。由于执行环境拥有公共访问权限、可写文件系统以及高权限用户,攻击者得以注入恶意代码。
  • 危害范围:注入的代码在同一作用域内执行,可直接引用变量,实现对正在进行中的会话的全局可见性。攻击者不仅能劫持会话、伪造合法流程,还能调用内部函数强制返回特定字符串以实施社会工程学攻击。
  • 网络与身份窃取:攻击者建立了绕过 VPC Service Controls 的双向外部通信通道,并针对 Cloud Run 环境中的实例元数据服务(IMDS)发起攻击,以检索 Google 管理服务账户的访问令牌,进一步横向移动。
  • 隐蔽性:恶意文件的修改逻辑被设计为持久化且不会出现在常规日志中,使得攻击者在控制代理、操纵对话和导出数据时完全不可见。

行业启示

  • 强化代码执行沙箱隔离:企业在构建 AI Agent 并允许自定义代码执行时,必须确保每个代理或工作流的代码执行环境具备严格的隔离性,避免共享底层基础设施导致的权限提升和数据泄露风险。
  • 最小权限原则与监控审计:需重新评估 Cloud Run 等无服务器服务的权限配置,严格限制对系统文件和元数据服务的访问。同时,应部署针对代码执行变更的深度行为监控,而非仅依赖传统日志审计。
  • 第三方 AI 服务的安全评估:在使用大型云厂商的 AI 平台(如 Dialogflow CX)时,不能盲目信任其默认安全配置。企业应主动进行渗透测试和安全架构审查,特别关注涉及数据 perimeter 控制和身份凭证管理的边界场景。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Conversational AI 对话系统 Security 安全 Agent Agent