high

GCP Cloud Functions Privilege Escalation Vulnerability

Published Wed, Jul 24th, 2024
Platforms

Summary

A privilege escalation vulnerability dubbed "ConfusedFunction" was discovered in Google Cloud Platform's Cloud Functions service. It allows attackers to escalate privileges from Cloud Function permissions to the default Cloud Build service account during function deployment. The vulnerability affects both first and second-generation Cloud Functions.

Affected Services

Cloud Functions, Cloud Build

Remediation

For every cloud function using the legacy Cloud Build service account, replace it with a least-privilege service account.

Tracked CVEs

No tracked CVEs

References

Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
-
Exploitablity Period
Until mid-June 2024
Known ITW Exploitation
-
Detection Methods
Monitor for suspicious activity related to Cloud Function deployments and Cloud Build instances. Review IAM permissions and service account usage for Cloud Functions and Cloud Build.
Piercing Index Rating
-
Discovered by
Liv Matan, Tenable

More vulnerabilities...

high

Unauthorized Access to AWS Account Findings in Microsoft Defender for Cloud

Microsoft Defender for Cloud at one point provided customers with a flawed configuration template through their public GitHub repository. This template creates resources in the customer's AWS accou...

...
Brandon Evans, Eric Johnson

low

GCP HMAC Keys are not discoverable or revokable other than for self

GCP administrators face challenges in managing HMAC keys within their organizations, lacking visibility into which user accounts have generated these keys and whether they are actively being used...

...
Kat Traxler, Vectra AI

low

GCP HMAC Keys do not log creation, deletion or usage

Cloud Audit Logs do not capture actions mediated through the cloud console private API service (cloudconsole-pa). Consequently, there is no logging of HMAC key creation or deletion linked to user...

...
Kat Traxler, Vectra AI

View all