Google Cloud Platform Vulnerability Highlighted by Tenable
In a recent development, a vulnerability has been discovered in Google Cloud Platform (GCP) that affects the Cloud Function serverless compute service and the Cloud Build CI/CD pipeline service. This vulnerability, known as ConfusedFunction, allows an attacker to escalate privileges during the deployment of Cloud Functions.
The issue arises from excessive permissions given to the default Cloud Build service account during the deployment process. An attacker with the ability to create or update a Cloud Function can exploit this deployment process, potentially escalating privileges to the default Cloud Build service account. This could allow the attacker to run code as the default Cloud Build service account, and the escalated privileges can extend to other GCP services such as Cloud Storage, Artifact Registry, and Container Registry.
Tenable senior research engineer Liv Matan has highlighted the problematic scenarios due to software complexity and inter-service communication in a cloud provider's services. Matan stated that the vulnerability underscores the need for careful management of permissions and trust between services in cloud environments.
Google has remedied ConfusedFunction for future Cloud Build accounts, but the vulnerability still affects existing Cloud Build instances in GCP. As a result, immediate evasive action is required for these instances. For every cloud function using the legacy Cloud Build service account, it is advised to replace it with a least-privilege service account.
It's important to note that Google has not changed the privileges from Cloud Build service accounts created before the fix was implemented. This means that these older accounts remain vulnerable. GCP has remediated ConfusedFunction for Cloud Build accounts created after February 14, 2024, to some extent.
The process of attaching a default Cloud Build service account to a Cloud Build instance during the deployment of Cloud Functions happens in the background and isn't something that ordinary users would be aware of. This makes it crucial for users to be vigilant and take necessary steps to secure their Cloud Build instances and associated Cloud Functions.
In conclusion, the ConfusedFunction vulnerability is a reminder of the importance of proper permission management and inter-service trust in cloud environments. Users are advised to review their Cloud Build service account permissions and take appropriate actions to mitigate the risk.
Read also:
- Deepwater Horizon Oil Spill: BP Faces Record-Breaking Settlement - Dubbed 'Largest Environmental Fine Ever Imposed'
- Cars' Environmental Impact Explained
- Lawsuit of Phenomenal Magnitude: FIFA under threat due to Diarra's verdict, accused of player injustice
- The German automobile sector requires advancement in environmentally friendly steel production
