Google Cloud Build Vulnerability Nearly Threatened Entire Software Supply Chain

Cybersecurity experts have discovered a privilege escalation vulnerability in the Google Cloud Platform (GCP), which can allow attackers to inject malicious code into application images and infect users, leading to supply chain attacks.

How figured out in company Orca Securitywho discovered and reported the bug, the vulnerability, dubbed “Bad.Build”, primarily affects the Google Cloud Build service (GCB).

“By abusing the vulnerability and impersonating the default Cloud Build service, hackers can manipulate images in the Google Artifact Registry (GAR) and inject malicious code,” the researchers said.

“Any applications built from modified images are infected. If such applications are deployed at a supplier’s customers, the risk is transferred from the supplier environment to the customer environment, posing a serious threat to the entire supply chain, ”added Orca Security.

After the discovery of the vulnerability by Google released a partial fix, which, however, does not eliminate the privilege escalation vector, but only revokes the vulnerable permission. The company itself described the vulnerability as minor. No additional action is required from clients.

The vulnerability is due to the fact that Cloud Build automatically creates a default service account to perform project builds on behalf of users. In particular, this account is given excessive permissions, allowing access to audit logs listing all rights in the project.

“This kind of information is very valuable, as it greatly facilitates lateral movement and escalation of privileges in the environment. Knowing which GCP account can perform which action is like solving a large part of the puzzle of how to launch an attack,” explained Orca’s Roy Nisimi.

Attackers can abuse the “cloudbuild.builds.create” permission obtained in some other way to impersonate a Cloud Build account, elevate privileges, exfiltrate the Google Kubernetes Engine used (GKE) image and modify it by adding malicious code.

“Once the infected image is deployed, the attacker can exploit it and run code in the container docker with rights root”Nisimi explained.

Exploitation scheme for the Bad.Build vulnerability

Google’s fix revokes the “logging.privateLogEntries.list” permission from the default Cloud Build account, thus preventing access to listing private logs.

Customers are encouraged to monitor the default behavior of the Cloud Build account to detect possible malicious activity, and to apply the principle of least privilege to mitigate risk.

This is not the first time that privilege escalation vulnerabilities have been discovered in the Google Cloud Platform. In 2020, similar problems were reported gitlab, Rhino Security Labs And Praetorian. And just last week about attacks on GCP to steal credentials reported companies SentinelOne And Permiso.