GCP Cloud Functions Privilege Escalation Vulnerability
Published Wed, Jul 24th, 2024
Platforms
Summary
A privilege escalation vulnerability dubbed "ConfusedFunction" was discovered in Google Cloud Platform's Cloud Functions service. It allows attackers to escalate privileges from Cloud Function permissions to the default Cloud Build service account during function deployment. The vulnerability affects both first and second-generation Cloud Functions.
Affected Services
Cloud Functions, Cloud Build
Remediation
For every cloud function using the legacy Cloud Build service account, replace it with a least-privilege service account.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
-
Exploitability Period
Until mid-June 2024
Known ITW Exploitation
-
Detection Methods
Monitor for suspicious activity related to Cloud Function deployments and Cloud Build instances. Review IAM permissions and service account usage for Cloud Functions and Cloud Build.
Piercing Index Rating
-
Discovered by
Liv Matan, Tenable
