Cybersecurity researchers have disclosed a privilege escalation vulnerability affecting Google Cloud Platform’s Cloud Functions service that could be exploited by attackers to gain unauthorized access to other services or sensitive data.
Tenable has named this vulnerability ConfusedFunction.
“An attacker could have escalated privileges to the default cloud build service account and gained access to numerous services, including cloud build, storage (containing source code for other features), artifact registry, and container registry,” the exposure management company said in a statement.
“This access could allow for lateral movement and privilege escalation within the victim’s project, allowing them to access unauthorized data and even update or delete it.”
Cloud Functions refers to a serverless execution environment that allows developers to write single-purpose functions that are triggered in response to specific cloud events, without having to manage servers or update frameworks.
The issue discovered by Tenable has to do with the fact that when a Cloud Function is created or updated, a Cloud Build service account is created in the background and linked to the Cloud Build instance by default.
This service account has excessive privileges, which could allow malicious activity, and an attacker with access to create or update Cloud Functions could use this loophole to escalate privileges to the service account.
This permission can potentially be abused to access other Google Cloud services created in conjunction with Cloud Functions, such as Cloud Storage, Artifact Registry, Container Registry, etc. In a potential attack scenario, ConfusedFunction can be abused to leak the Cloud Build service account token via a webhook.
Following responsible disclosure, we have updated the default behavior for Cloud Build to use the Compute Engine default service account to prevent abuse, but note that these changes do not apply to existing instances.
“The ConfusedFunction vulnerability highlights the problematic scenarios that can arise due to software complexity and inter-service communication in cloud provider services,” said Tenable researcher Liv Matan.
“GCP’s fix reduces the severity of the issue for future deployments, but does not eliminate it entirely, as Cloud Function deployments still trigger the creation of the aforementioned GCP services. As a result, users must assign minimal, yet relatively broad, permissions to the Cloud Build service account as part of their function deployment.”
The development comes after Outpost24 detailed a medium severity cross-site scripting (XSS) flaw in Oracle Integration Cloud Platform that could be weaponized to inject malicious code into applications.
The flaw, which stems from the handling of the “consumer_url” parameter, was addressed in an Oracle Critical Patch Update (CPU) released earlier this month.
“https://
“This means that an attacker only needs to identify the instance ID of a particular integration platform to send a functional payload to any user of that platform. As a result, an attacker can avoid the need to know the specific integration ID, which is typically only accessible to logged-in users.”
This also follows Assetnote’s discovery of three security vulnerabilities in the ServiceNow cloud computing platform (CVE-2024-4879, CVE-2024-5178, CVE-2024-5217), which, when exploited, could lead to an exploit chain that could gain full access to the database and execute arbitrary code within the context of the Now Platform.
