Cybersecurity researchers have disclosed a privilege escalation vulnerability affecting the Google Cloud Platform cloud service that an attacker could use to gain unauthorized access to other services and sensitive data.
It is stable given a vulnerability called ConfusedFunction.
“An attacker can elevate their privileges to the default Cloud Build service account and gain access to many services, such as Cloud Build, the repository (including the source code of other features), the artifact registry, and the container registry,” the company said in a statement exposure management.
“This access allows for lateral movement and elevation of privileges in the victim’s project, access to unauthorized data, and even its update or deletion.”
Cloud features referred to into a serverless runtime environment that allows developers to create single-purpose functions that run in response to specific events in the cloud without having to manage a server or update infrastructure.
The problem identified by Tenable is that the Cloud Build service account is created in the background and binds to the default Cloud Build instance when a cloud feature is created or updated.
This work account opens the door to potential malicious activity due to its excessive permissions, thereby allowing an attacker with access to create or update a cloud function to exploit this vulnerability and elevate their privileges to the work account.
This permission can then be abused to access other Google Cloud services that are also built with Cloud Function, including Cloud Storage, Artifact Registry, and Container Registry. In a hypothetical attack scenario, ConfusedFunction could be used to leak the Cloud Build service account token via a webhook.
After responsible disclosure, Google has updated default behavior so Cloud Build uses Standard Compute Engine service account to prevent misuse. However, it should be noted that these changes do not apply to existing instances.
“The ConfusedFunction vulnerability highlights problematic scenarios that can arise due to the complexity of the software and the interrelationships between services in a cloud provider’s services,” said Tenable researcher Liv Mattan.
“While the GCP fix reduced the severity of the problem for future deployments, it did not completely eliminate it. This is because cloud feature deployments still trigger the creation of the aforementioned GCP services. As a result, users still have to assign minimal but still relatively broad permissions for a Cloud Build service account as part of a feature rollout.”
The development comes after Outpost24 detailed a moderate cross-site scripting (XSS) flaw in the Oracle Integration Cloud Platform that could be used to inject malicious code into an application.
There was a flaw rooted in the handling of the “consumer_url” parameter it’s decided from Oracle in its Critical Patch Update (CPU) released earlier this month.
“New integration creation page found at https://.integration.ocp.oraclecloud.com/ic/integration/home/faces/link?page=integration&consumer_url=
“This meant that an attacker would only need to identify the instance ID of a particular integration platform in order to send a functional payload to any user of the platform. In this way, an attacker can bypass the requirement to know a specific integration ID, which is normally only available to logged in users.”
It also matches Assetnote discovery of three security vulnerabilities in the ServiceNow cloud computing platform (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) that can be chained to exploits to gain full database access and execute arbitrary code on context of the Now platform.
