A Google Cloud Build Vulnerability Could Aid Supply-Chain Attacks

Researchers found a critical vulnerability in the Google Cloud Build that allowed elevated privileges to unauthorized users. An adversary could exploit the design flaw for various malicious activities, including supply-chain attacks.

A Google Cloud Build Vulnerability Could Aid Supply-Chain Attacks

Google Cloud Build Vulnerability

Different security firms analyzed and discovered a severe design flaw in the Google Cloud Build service. Specifically, they discovered a privilege escalation vulnerability in the Google Cloud Build that allowed explicit access to an unauthorized adversary.

Google Cloud Build is Google’s CI/CD service helping users to automate building, testing, and software deployment across all languages. It also supports integration with other Google Cloud services, such as App Engine and Kubernetes Engine. RhinoSecurity Labs separately described the vulnerability affecting the Google Cloud Platform (GCP) in a report. (Published in two parts, the report also highlights a similar Identity & Access Management (IAM) privilege escalation in the Amazon Web Services (AWS).)

Their researchers observed that an adversary might exploit the issue in a specific Cloud Build to gain elevated privileges and explicit access to the build server. The attacker may use compromised GCP credentials to achieve the desired permissions.

Then, upon achieving remote code execution on the target build server, the attacker can find and abuse the Cloud Build Service Account access token locally cached on the server. Later, using this access token enables the attacker to achieve higher privileges. Upon discovering the vulnerability, Rhino Security Labs responsibly disclosed the matter to Google.

However, the tech giant didn’t consider this a security flaw. Meanwhile, another security firm, Orca Security, also discovered the same issue and could exploit the vulnerability more quickly. Their researchers have explained the details about this vulnerability, which they call “Bad.Build”, in a separate post. They found the flaw trivially exploitable as an adversary could maliciously manipulate application images, inducing a supply-chain attack similar to SolarWinds and 3CX security incidents.

Google Assured The Vulnerability Fix

Following this discovery, Orca Security also contacted Google, which acknowledged the matter and deployed a partial fix. However, since the flaw remained exploitable, the researchers urged all organizations to monitor the Google Cloud Build Service Account for malicious behavior, deploy the Principle of Least Privilege, and implement cloud detection and response capabilities. Nonetheless, according to a recent statement from Google (as provided to the Bleeping Computer), the tech giant has patched the vulnerability.
Attribution link