Cybersecurity researchers have discovered a vulnerability in the Cloud Function service on the Google Cloud Platform platform that allows attackers to increase privileges. This vulnerability, known as confusedfunction, enables unauthorized access to other services and confidential data.
Tenable, the company that identified this issue, reports that an attacker can elevate their privileges to the level of Default Cloud Build Service. This would grant access to services like Cloud Build, storage (including the source code of other functions), artifact registries, and containers.
This elevated access permits attackers to conduct lateral movements within the victim’s project, giving them unauthorized access to data and the ability to update or delete it.
Cloud Functions provide a serverless environment for developers to create single-purpose functions triggered by cloud events without managing server infrastructure or frameworks.
The issue identified by Tenable lies in the automatic creation of Cloud Build associated with a Cloud Function copy. This creates an account with excessive privileges, allowing an attacker with access to the Cloud Function function to exploit this loophole and elevate their privileges to the level of Cloud Build.
These elevated privileges can be used to access other Google Cloud services associated with the Cloud Function function, such as Cloud Storage, Artifact Registry, and Container Registry. In a hypothetical attack scenario, the confusedfunction vulnerability could be utilized to leak the Cloud Build account token through webhooks.
Following responsible disclosure, Google updated standard behaviors so that Cloud Build defaults to using the Compute Engine account to prevent abuses. However, these changes do not apply to existing instances.
Tenable researcher Liv Matan noted that the confusedfunction vulnerability highlights potential issues stemming from the complexity of software and inter-service interactions in cloud services.
While the correction from GCP has mitigated the severity of the problem for future deployments, it has not eradicated it entirely. Deploying the Cloud Function function still triggers the creation of GCP services, necessitating the assignment of the minimum necessary but still broad Cloud Build privileges in the expansion process.
The confusedfunction vulnerability underscores the importance of continuous vigilance and proper privilege management in the IT sector. Regular security audits and the principle of least privilege should form the foundation of any company’s cybersecurity strategy.