Cybersecurity experts have discovered a privilege escalation flaw in Google Cloud Platform’s Cloud Functions service. The vulnerability, which Tenable called ConfusedFunction, allows an attacker to access sensitive functions and data without permission.
Tenable explains that an attacker exploiting this flaw could elevate their privileges to the default cloud build service account, which can access services such as cloud build, storage (including function source code), artifact registry, and container registry. This can provide lateral movement and privilege escalation to access, update, and delete data in an unauthorized manner.
Cloud Functions refer to a serverless execution environment that enables developers to create single-purpose functions driven in response to specific cloud events without server management or framework updates and associates a cloud-build service account with a cloud-build instance when a cloud function is created or updated.
An attacker with the ability to create or update a Cloud Function could exploit this vulnerability to escalate their privileges to the service account level. This advanced access can then be used to communicate with other Google Cloud services that are part of the Cloud Function.
In a hypothetical attack scenario, the ConfusedFunction vulnerability could be exploited to extract a Cloud Build service account token via a webhook.
Google addressed the issue by changing the default behaviour such that the cloud build uses the Compute Engine default service account, reducing the risk of abuse. However, these changes are not retrospectively applicable to existing instances.
Tenable researcher Liv Matan notes that even though Google’s restoration has mitigated the severity for future deployments, it hasn’t eliminated the trouble. The creation of a Cloud Function still triggers the deployment of GCP services mentioned above.
