Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform
Researchers have discovered a significant privilege escalation vulnerability in Google Cloud Platform's Cloud Functions, known as "ConfusedFunction." This vulnerability allows attackers to potentially gain unauthorized access to sensitive data and resources within a GCP environment.
The issue stems from the default behavior of Cloud Functions, where a Cloud Build service account is automatically created with excessive permissions. This account grants access to various Google Cloud services, including Cloud Build, Cloud Storage, Artifact Registry, and Container Registry.
Exploiting this vulnerability, an attacker could gain unauthorized access to a victim's project by:
- Creating or updating a Cloud Function.
- Leveraging the service account's permissions to access sensitive data stored within the linked Google Cloud services.
- Potentially extracting sensitive information such as the service account token via a webhook. While Google has addressed this issue by updating their default settings to use the Compute Engine default service account for new deployments, this change does not affect existing instances. Users must review the permissions granted to their Cloud Functions and ensure they comply with security policies.
Tenable researcher Liv Matan emphasizes the importance of understanding the complexity of cloud services and their interconnectedness. "While the GCP fix has reduced the severity of the problem for future deployments, it didn't completely eliminate it," she explains. "Users must still assign minimum but still relatively broad permissions to the Cloud Build service account as part of a function's deployment."
This vulnerability underscores the ongoing challenges of maintaining secure cloud environments. Organizations utilizing Google Cloud Platform should carefully evaluate their security practices, implement the principle of least privilege, and stay informed about emerging security threats.
The Hacker News 07/25/2024