Cybersecurity researchers have uncovered a privilege escalation vulnerability in Google Cloud that could enable malicious actors tamper with application images and infect users, leading to supply chain attacks.
The issue, dubbed Bad.Build, is rooted in the Google Cloud Build service, according to cloud security firm Orca, which discovered and reported the issue.
"By abusing the flaw and enabling an impersonation of the default Cloud Build service, attackers can manipulate images in the Google Artifact Registry and inject malicious code," the company said in a statement shared with The Hacker News.
"Any applications built from the manipulated images are then affected and, if the malformed applications are meant to be deployed on customer's environments, the risk crosses from the supplying organization's environment to their customers' environments, constituting a major supply chain risk."
Following responsible disclosure, Google has issued a partial fix that doesn't eliminate the privilege escalation vector, describing it as a low-severity issue. No further customer action is required.
"We created our Vulnerability Rewards Program specifically to identify and fix vulnerabilities like this one. We are appreciative of Orca and the broader security community's participation in these programs. We appreciate the work of the researchers and have incorporated a fix based on their report as outlined in a security bulletin issued in early June." a spokesperson for Google told The Hacker News.
The design flaw stems from the fact that Cloud Build automatically creates a default service account to execute builds for a project on users' behalf. Specifically, the service account comes with excessive permissions ("logging.privateLogEntries.list"), which allows access to audit logs containing the complete list of all permissions on the project.
"What makes this information so lucrative is that it greatly facilitates lateral movement and privilege escalation in the environment," Orca researcher Roi Nisimi said. "Knowing which GCP account can perform which action, is equal to solving a great piece of the puzzle on how to launch an attack."
In doing so, a malicious actor could abuse the "cloudbuild.builds.create" permission already obtained by other means to impersonate the Google Cloud Build service account and obtain elevated privileges, exfiltrate an image that is being used inside Google Kubernetes Engine (GKE), and alter it to incorporate malware.
"Once the malicious image is deployed, the attacker can exploit it and run code on the docker container as root," Nisimi explained.
The patch put in place by Google revokes the logging.privateLogEntries.list permission from the Cloud Build service account, thereby preventing access to enumerate private logs by default.
This is not the first time privilege escalation flaws impacting the Google Cloud Platform have been reported. In 2020, Gitlab, Rhino Security Labs, and Praetorian detailed various techniques that could be exploited to compromise cloud environments.
Customers are advised to monitor the behavior of the default Google Cloud Build service account to detect any possible malicious behavior as well as apply the principle of least privilege (PoLP) to mitigate possible risks.
