Google's Cloud Platform Experiences Revealed Vulnerability, According to Tenable
In a recent development, a vulnerability known as ConfusedFunction has been discovered in Google Cloud Platform (GCP). This vulnerability, which affects both the Cloud Function serverless compute service and the Cloud Build CI/CD pipeline service, has raised concerns due to its potential impact on Cloud Build instances.
The issue is particularly problematic for Cloud Build Service Accounts created before February 14, 2024. These older service accounts, which have not been altered since the implementation of the fix, are vulnerable due to legacy permissions or configurations that could be exploited. Tenable senior research engineer Liv Matan has stated that this vulnerability underscores the potential issues that can arise due to software complexity and inter-service communication in cloud providers' services.
GCP has remediated ConfusedFunction for Cloud Build accounts created after February 14, 2024. However, existing Cloud Build instances remain at risk, as the privileges from these service accounts have not been changed. An attacker with the ability to create or update a Cloud Function can potentially escalate privileges to the default Cloud Build service account and other GCP services like Cloud Storage, Artifact Registry, or Container Registry.
The vulnerability involves excessive permissions granted to the default Cloud Build service account during the deployment of Cloud Functions. The process of attaching a default Cloud Build service account to a Cloud Build instance during the deployment of a Cloud Function happens in the background and isn't something that ordinary users would be aware of.
As a result, immediate evasive action is required for existing Cloud Build instances due to the vulnerability. For every cloud function using the legacy Cloud Build service account, it is advised to replace it with a least-privilege service account. This will help to mitigate the risk and ensure the security of your data in Cloud Storage, Artifact Registry, or Container Registry.
Google's remediation of ConfusedFunction for future Cloud Build accounts offers some reassurance, but the vulnerability has not been completely eliminated for existing instances. It is crucial to stay vigilant and take necessary steps to secure your Cloud Build instances to prevent potential attacks.
Read also:
- Unchecked carbon emissions could potentially lead the world to revert to coal usage, according to a knowledgeable source.
- Stone mining has transformed the once renowned 'Sada Pathor' into a desolate, post-apocalyptic landscape.
- The Developmental Journey of Digital Supply Chains
- In the Heart of Soho, Manhattan, a New Brewery Emerges Underground
