Google Cloud Platform (GCP) Privilege Escalation Vulnerability - 20240606001¶
Overview¶
A vulnerability in Google Cloud Platform (GCP) has been discovered that allows privilege escalation from Cloud Function permissions to the default Cloud Build service account permissions. These permissions include high privileges in services such as Cloud Build, storage (including the source code of other functions), artifact registry, and container registry.
The vulnerability could be exploited with permissions to update or create a new Google Cloud Function, thus getting Cloud Build to act as a confused deputy to run malicious code (a malicious dependency) under the Cloud Build editor privileges, including leaking the Cloud Build Default Service Account (PROJECT_NUMBER@cloudbuild.gserviceaccount.com) token.
What is vulnerable?¶
| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated |
|---|---|---|---|---|---|
| TBD | Medium | TBD | - GCP Cloud Function - GCP Cloud Build |
Attackers could upload a malicious package to a registry, and the default Cloud Function deployment process would install that package after attackers include its name in the Cloud Function code. Google has remediated the vulnerability for future Cloud Build accounts created. However, for existing Cloud Build instances customer action is required. | 5 June, 2024 |
What has been observed?¶
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):