Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Automatic installation of privileges puts project security at risk.
Cybersecurity researchers have discovered a privilege escalation vulnerability in the Google Cloud Platform's Cloud Functions service. This vulnerability, called ConfusedFunction, can allow an attacker to gain unauthorized access to other services and confidential data.
Tenable, which identified the problem, explained that an attacker can increase their privileges to the level of the Default Cloud Build Service account and gain access to a variety of services, such as Cloud Build, storage (including the source code of other functions), artifact registries and containers.
Such access allows an attacker to perform lateral movement and privilege escalation in the victim's project, as well as gain unauthorized access to data and even update or delete it.
Cloud Functions is a server-side task environment that allows developers to create single-purpose functions that run in response to specific events in the cloud without having to manage the server or update frameworks.
The problem that Tenable detected is that the Cloud Build account is created automatically and associated with the default Cloud Build instance when creating or updating a Cloud Function. This account has excessive privileges, which allows an attacker who has access to create or update a Cloud Function to use this loophole to upgrade their privileges to the Cloud Build account level.
These privileges can be used to access other Google Cloud services that are created with the Cloud Function, including Cloud Storage, Artifact Registry, and Container Registry. In a hypothetical attack scenario, the ConfusedFunction vulnerability can be used to leak the Cloud Build account token via a web hook.
Following responsible disclosure, Google updated standard behavior so that Cloud Build uses the default Compute Engine account to prevent abuse. However, it is worth noting that these changes do not apply to existing instances.
Tenable researcher Liv Matan noted that the ConfusedFunction vulnerability highlights problematic scenarios that can occur due to software complexity and cross-service interaction in cloud services.
While the GCP fix reduced the severity of the issue for future deployments, it did not completely fix it. Deploying the Cloud Function still triggers the creation of the specified GCP services, which requires assigning the minimum necessary but still fairly broad privileges to the Cloud Build account during the function deployment process.
The ConfusedFunction vulnerability highlights the need for constant vigilance and proper privilege management in the IT sector. Regular security audits and the principle of least privilege should be the foundation of any company's cybersecurity strategy.
Source
Cybersecurity researchers have discovered a privilege escalation vulnerability in the Google Cloud Platform's Cloud Functions service. This vulnerability, called ConfusedFunction, can allow an attacker to gain unauthorized access to other services and confidential data.
Tenable, which identified the problem, explained that an attacker can increase their privileges to the level of the Default Cloud Build Service account and gain access to a variety of services, such as Cloud Build, storage (including the source code of other functions), artifact registries and containers.
Such access allows an attacker to perform lateral movement and privilege escalation in the victim's project, as well as gain unauthorized access to data and even update or delete it.
Cloud Functions is a server-side task environment that allows developers to create single-purpose functions that run in response to specific events in the cloud without having to manage the server or update frameworks.
The problem that Tenable detected is that the Cloud Build account is created automatically and associated with the default Cloud Build instance when creating or updating a Cloud Function. This account has excessive privileges, which allows an attacker who has access to create or update a Cloud Function to use this loophole to upgrade their privileges to the Cloud Build account level.
These privileges can be used to access other Google Cloud services that are created with the Cloud Function, including Cloud Storage, Artifact Registry, and Container Registry. In a hypothetical attack scenario, the ConfusedFunction vulnerability can be used to leak the Cloud Build account token via a web hook.
Following responsible disclosure, Google updated standard behavior so that Cloud Build uses the default Compute Engine account to prevent abuse. However, it is worth noting that these changes do not apply to existing instances.
Tenable researcher Liv Matan noted that the ConfusedFunction vulnerability highlights problematic scenarios that can occur due to software complexity and cross-service interaction in cloud services.
While the GCP fix reduced the severity of the issue for future deployments, it did not completely fix it. Deploying the Cloud Function still triggers the creation of the specified GCP services, which requires assigning the minimum necessary but still fairly broad privileges to the Cloud Build account during the function deployment process.
The ConfusedFunction vulnerability highlights the need for constant vigilance and proper privilege management in the IT sector. Regular security audits and the principle of least privilege should be the foundation of any company's cybersecurity strategy.
Source
