Google Cloud Build Vulnerability Threatens Software Supply Chain

Cybersecurity experts discover vulnerability in Google Cloud Platform

Cybersecurity experts have found a vulnerability in the Google Cloud Platform (GCP) that could potentially allow attackers to introduce malicious code into application images and infect users, leading to supply chain attacks.

The vulnerability, known as “Bad.Build,” was primarily discovered in the Google Cloud Build (GCB) service, as revealed by Orca Security, the company responsible for finding and reporting the bug.[1]

By taking advantage of this vulnerability, hackers can manipulate images in the Google Artifact Registry (GAR) and introduce malicious code, infecting any applications built from these altered images. This poses a serious threat to both suppliers and their customers, as the risk is transferred from the supplier’s environment to the customer’s environment.[1]

Following the disclosure of the vulnerabilities, Google has released a partial fix that addresses the issue by limiting the power permission. However, the fix does not completely eliminate the privilege escalation vector. Despite Google downplaying the significance of the vulnerability, no additional actions are required from customers at this time.[2]

The vulnerability stems from the fact that Cloud Build automatically creates a default service account with excessive permissions, including access to the project’s audit logs. This valuable information facilitates lateral movement and privilege escalation within the environment, making it easier for attackers to launch an attack.[3]

Attackers can exploit the “Cloudbuild.Builds.create” permission to impersonate the Cloud Build account and gain increased privileges. They can then manipulate images used in Google Kubernetes (GKE) and inject malicious code. Once these infected images are deployed, attackers have root access to the system, granting them full control over functions and files, with the ability to install, delete, or modify software.[4]

While root access offers more flexibility and control for experienced users and developers, it also introduces potential risks. Incorrect changes or the installation of malicious software can compromise device security and cause damage.[5]

Sources:

  1. Orca Security
  2. Google Cloud Platform

/Reports, release notes, official announcements.