Confused Function is a privilege escalation vulnerability discovered in Google Cloud Platform (GCP)’s Cloud Functions service. This flaw allowed attackers to potentially gain unauthorized access to sensitive data and services within a GCP environment.
The root cause of the vulnerability issue lies in the way GCP handled Cloud Build service accounts, which were automatically created with excessive permissions when deploying Cloud Functions. This allowed attackers to exploit these permissions to escalate their privileges and access other GCP services.
Google has acknowledged the issue and implemented a fix to prevent the creation of Cloud Build service accounts with excessive permissions for new Cloud Functions. However, existing Cloud Build instances remain vulnerable.
As per Tenable, Cloud Functions in GCP are event-triggered, serverless functions. They automatically scale and execute code in response to specific events like HTTP requests or data changes. When a GCP user creates or updates a Cloud Function, a multi-step backend process is triggered.
This process, among other things, attaches a default Cloud Build service account to the Cloud Build instance that is created as part of the function’s deployment. This default Cloud Build service account gives the user excessive permissions. This process happens in the background and isn’t something that ordinary users would be aware of.
An attacker who gains access to create or update a Cloud Function can take advantage of the function’s deployment process to escalate privileges to the default Cloud Build service account and other GCP services including Cloud Storage, and Artifact Registry or Container Registry. By exploiting the deployment flow and the flawed trust between services an attacker could run code as the default Cloud Build service account.
Moving forward, the Confused Function vulnerability highlights the problematic scenarios that may arise due to software complexity and inter-service communication in a cloud provider’s services.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
