Researchers have discovered a vulnerability in Google Cloud Build enables attackers to tamper with and inject malware into images stored in Artifact Registry.
The vulnerability dubbed as Bad.Build, when analyzing an API call request associated with a Google cloud platform resource. Applications then make use of those compromised container images, risk malware infections, denial-of-service attacks, data theft, and other negative impacts, and even will lead to supply chain attacks.
Researchers shed their light on the findings and state this is a design issue and have to do with the default permissions associated with the Google Cloud Build service. The excessive permissions associated with the service give adversaries a relatively easy way to access audit logs that contain a complete list of permissions associated with all GCP accounts in a Google Cloud Build “Project.”
An attacker would need to have access to the cloudbuild.builds.create permission, which could either be obtained through insider access or by an outsider that has gained unauthorized access to a user with this permission.
Google’s fix for Bad.Build removes the logging permission from the default Google Cloud Build service role, which means that particular service no longer has access to the audit logs which list the entire Project’s permissions each time there’s a change.
Any user with the cloudbuild.builds.create permission can escalate privileges and execute a wide range of actions, including manipulating images and injecting malicious code into them unless organizations specifically revoke the default permissions of the Google Cloud Build service.
When users enable the Cloud Build API in a project, Cloud Build automatically creates a default service account to execute builds on the user’s behalf, according to Google’s advisory on the vulnerability.
This Cloud Build service account previously allowed the build to have access to private logs by default, but this permission has now been revoked from the Cloud Build service account to adhere to the security principle of least privilege.
This research was documented by researchers from Orca Security.