Cybersecurity researchers have discovered a privilege escalation vulnerability in Google Cloud that could allow a malicious actor to tamper with application images and infect users, leading to supply chain attacks.
Thing is, dubbed Bad. Wake uprooted in Google Cloud Build Servicesaccording to cloud security firm Orca, which discovered and reported the issue.
“By abusing the weakness and enabling the default Cloud Build service impersonation, attackers can manipulate images in the Google Artifact Registry and inject malicious code,” the company said. said in a statement shared with The Hacker News.
“Any application built from manipulated images is then affected and, if the defective application is intended for use in a customer’s environment, risks moving from the supplying organization’s environment to their customer’s environment, which is a major supply chain risk.”
Following responsible disclosure, Google has published a partial fix that doesn’t get rid of the privilege escalation vector, illustrating it as a low severity issue. No further customer action is required.
The design flaw stems from the fact that Cloud Build automatically creates a default service account to run builds for projects on behalf of users. Specifically, service accounts are equipped with redundant permissions (“logging.privateLogEntries.list”), which allow access to audit logs that contain a complete list of all permissions on the project.
“What makes this information so advantageous is that it greatly facilitates lateral movement and escalation of privilege in the environment,” said Orca researcher Roi Nisimi. “Knowing which GCP accounts can perform which actions is like solving a great puzzle of how to launch an attack.”
By doing so, bad actors can abuse the “cloudbuild.builds.create” permission that has been obtained in other ways to impersonate a Google Cloud Build service account and gain elevated privileges, extract images currently in use inside Google Kubernetes Engine (GKE), and change them to include malware.
“Once the malicious image is propagated, an attacker can exploit it and run code on the docker container as root,” explained Nisimi.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
A patch enforced by Google revokes the logging.privateLogEntries.list permission from the Cloud Build service account, preventing access to enumerate private logs by default.
This is not the first time reports of a privilege escalation flaw impacting Google Cloud Platform. In 2020, Gitlab, Rhino Security Labs, and Praetorian detailed many kinds of technique it could be exploited to compromise the cloud environment.
Customers are advised to monitor default Google Cloud Build service account behavior to detect potential malicious behavior and apply the principle of least privilege (PoLP) to mitigate potential risks.