Cybersecurity researchers have discovered a privilege escalation vulnerability in Google Cloud. This vulnerability could allow malicious attackers to modify application images to infect users, leading to supply chain attacks.
This problem, Bad. BuildAccording to cloud security firm Orca, which discovered and reported the issue, the issue is rooted in the Google Cloud Build service.
“By exploiting this vulnerability and enabling default Cloud Build service spoofing, an attacker can manipulate images in the Google Artifact Registry and inject malicious code,” the company said. in a statement shared with The Hacker News.
“Any application built from the manipulated image will be affected. Also, if the rogue application is intended to be deployed into the customer’s environment, the risk goes from the supplying organization’s environment to the customer’s environment. It spreads and poses a significant risk to the supply chain.”
Following responsible disclosure, Google issued a partial fix that did not eliminate the privilege escalation vector and described this as a less severe issue. No further action is required from you.
This design flaw stems from the fact that Cloud Build automatically creates a default service account that runs project builds on your behalf. Specifically, the service account has been granted excessive permissions (“logging.privateLogEntries.list”) to allow access to the audit log, which contains the full list of all permissions for the project.
“What makes this information so lucrative is that it greatly facilitates lateral movement and privilege escalation within the environment,” said Orca researcher Roi Nisimi. “Knowing which of her GCP accounts can perform which actions is like solving a big piece of the puzzle on how to launch an attack.”
In doing so, the malicious attacker exploits the ‘cloudbuild.builds.create’ privilege that he has already obtained by other means to impersonate the Google Cloud Build service account to gain elevated privileges and access Google Kubernetes Engine ( GKE) may steal images used within. , modified to include malware.
“Once the malicious image is deployed, an attacker can exploit it to execute code on the Docker container as root,” explained Nisimi.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
A patch applied by Google revokes the logging.privateLogEntries.list permission from the Cloud Build service account, which prevents access to enumerate private logs by default.
This isn’t the first time a privilege escalation flaw has been reported affecting Google Cloud Platform. In 2020, Gitlab, Rhino Security Labs, and Praetorian detailed various techniques that can be abused to compromise cloud environments.
Customers are encouraged to monitor the behavior of the default Google Cloud Build service account to detect potentially malicious behavior and apply the principle of least privilege (PoLP) to mitigate potential risks. It is recommended.
