Scientists Unveil BewilderedFunction Vulnerability in Google Cloud Platform
A group of cybersecurity experts have revealed a privilege escalation vulnerability affecting Google Cloud Platform’s Cloud Functions service which could be leveraged by an intruder to gain unauthorized access to other services and confidential information.
The vulnerability has been named ConfusedFunction by Tenable, the exposure management firm, as revealed in a publication.
In a statement, the exposure management company mentioned, “A wrongdoer could enhance their privileges to the Default Cloud Build Service Account and reach various services such as Cloud Build, storage (comprising the source code of other functions), artifact registry, and container registry.”
“This access permits lateral movement and privilege escalation within a victim’s project, enabling them to reach unauthorized data and even modify or erase it.”
Cloud Functions denotes a serverless execution environment that enables programmers to produce single-purpose functions which are activated in response to specific Cloud events without the necessity to administer a server or update frameworks.
The issue brought to light by Tenable is related to the creation of a Cloud Build service account in the background, automatically linked to a Cloud Build instance when a Cloud Function is created or updated.
This service account exposes a potential for harmful activities due to its excessive permissions, which allows an unauthorized user with access to create or update a Cloud Function to exploit this vulnerability and elevate their privileges to the service account.
This authorization could then be misused to reach other Google Cloud services that are also created alongside the Cloud Function, including Cloud Storage, Artifact Registry, and Container Registry. In a theoretical attack scenario, ConfusedFunction could be utilized to disclose the Cloud Build service account token via a webhook.
After a responsible disclosure, Google has modified the default behavior to ensure that Cloud Build utilizes the Compute Engine default service account to deter misuse. Nonetheless, it should be noted that these adjustments do not apply to existing instances.
“The BewilderedFunction vulnerability highlights the worrisome situations that may emerge due to software intricacy and inter-service communication in a cloud provider’s services,” stated Tenable researcher Liv Matan.
“Although the GCP correction has lessened the severity of the issue for forthcoming deployments, it hasn’t eradicated it entirely. This is due to the fact that the deployment of a Cloud Function still triggers the establishment of the above-mentioned GCP services. Consequently, users must still assign minimal but relatively broad authorizations to the Cloud Build service account as part of a function’s deployment.”
This revelation coincides with Outpost24 pinpointing a medium-severity cross-site scripting (XSS) vulnerability in the Oracle Integration Cloud Platform which could be exploited to insert malicious code into the application.
The flaw, related to the handling of the “consumer_url” parameter, was resolved by Oracle in its Critical Patch Update (CPU) released earlier this month.
“The page for creating a new integration, found at https://<instanceid>.integration.ocp.oraclecloud.com/ic/integration/home/faces/link?page=integration&consumer_url=<payload>, did not require any other parameters,” remarked security researcher Filip Nyquist stated.
“This indicated that an attacker would only need to identify the instance-id of the specific integration platform to send a functional payload to any user of the platform. Consequently, the attacker could circumvent the necessity of knowing a specific integration ID, typically only accessible to logged-in users.”
This revelation follows Assetnote’s discovery of three security vulnerabilities in the ServiceNow cloud computing platform (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) that could be molded into an exploit chain to obtain complete database access and execute arbitrary code on the within the context of the Now Platform.
About Author
