“ConfusedFunction” Flaw Opens Google Cloud Platform to Privilege Escalation Attacks
Cybersecurity researchers have uncovered a privilege escalation vulnerability in the Cloud Functions service on the Google Cloud Platform. This vulnerability, dubbed ConfusedFunction, could allow an attacker to gain unauthorized access to other services and sensitive data.
The company Tenable, which identified the issue, explained that an attacker could escalate their privileges to the level of the default Cloud Build Service account, gaining access to various services such as Cloud Build, storage (including source code of other functions), artifact registries, and container registries.
Such access enables an attacker to perform lateral movement and privilege escalation within the victim’s project, as well as to gain unauthorized access to data and even modify or delete it.
Cloud Functions is a serverless environment for executing tasks, allowing developers to create single-purpose functions that run in response to specific events in the cloud without the need for server management or framework updates.
The issue discovered by Tenable lies in the automatic creation of the Cloud Build account, which is linked to the default Cloud Build instance upon the creation or update of a Cloud Function. This account has excessive privileges, allowing an attacker with access to the creation or update of a Cloud Function to exploit this loophole to escalate their privileges to the level of the Cloud Build account.
These privileges can be used to access other Google Cloud services created alongside the Cloud Function, including Cloud Storage, Artifact Registry, and Container Registry. In a hypothetical attack scenario, the ConfusedFunction vulnerability could be used to leak the Cloud Build account token via a webhook.
Following responsible disclosure, Google updated the default behavior to have Cloud Build use the Compute Engine default service account to prevent abuse. However, it is worth noting that these changes do not apply to existing instances.
Tenable researcher Liv Matan noted that the ConfusedFunction vulnerability highlights the problematic scenarios that can arise from the complexity of software and inter-service interactions in cloud services.
Although the fix by GCP reduced the severity of the issue for future deployments, it did not eliminate it. Deploying a Cloud Function still triggers the creation of the specified GCP services, necessitating the assignment of minimally necessary yet sufficiently broad privileges to the Cloud Build account during the function deployment process.
The ConfusedFunction vulnerability underscores the need for constant vigilance and proper privilege management in the IT domain. Regular security audits and the principle of least privilege should be the foundation of any company’s cybersecurity strategy.
