Researchers have uncovered a privilege escalation vulnerability in the Cloud Functions service on the Google Cloud Platform, that could allow an attacker to gain unauthorized access to other services and sensitive data.
Cloud Functions is a serverless environment for executing tasks, allowing developers to create single-purpose functions that run in response to specific events in the cloud without the need for server management or framework updates.
The vulnerability known to be ConfusedFunction discovered by Tenable in which an attacker could escalate their privileges to the level of the default Cloud Build Service account, gaining access to various services such as Cloud Build, artifact registries, and container registries.
The vulnerability persists in the automatic creation of the Cloud Build account, which is linked to the default Cloud Build instance upon the creation or update of a Cloud Function. This account has excessive privileges, enable the attacker to perform lateral movement and privilege escalation within the victim’s project, as well as to gain unauthorized access.
Following responsible disclosure, Google updated the default behavior to have Cloud Build use the Compute Engine default service account to prevent abuse
Although the fix by GCP reduced the severity of the issue for future deployments, it did not eliminate it. Deploying a Cloud Function still triggers the creation of the specified GCP services, necessitating the assignment of minimally necessary yet sufficiently broad privileges to the Cloud Build account during the function deployment process.
