Researchers have recently uncovered a vulnerability within the Google Cloud Platform (GCP) known as “ConfusedFunction,” which impacts two key services within the platform – Cloud Functions and Cloud Build. This vulnerability stems from the automatic attachment of a default Cloud Build service account with excessive permissions to instances created during Cloud Function deployment, a process that typically goes unnoticed by most GCP users.
According to Tenable researchers, malicious actors could potentially exploit this vulnerability during deployment by injecting or updating a Cloud Function with malicious code. This code could then utilize the attached service account’s permissions to gain unauthorized access to other critical GCP services such as Cloud Storage, Artifact Registry, or Container Registry.
To demonstrate this attack technique in a Node.js function runtime, researchers have outlined a series of steps. First, users would need to run npm init and modify the package.json code to include a webhook attack script. Subsequently, they would publish this code to the public npm registry, create a new Cloud Function or update an existing one with the malicious package, and deploy the Cloud Function. During deployment, the Cloud Build instance would run with the installed malicious package, allowing the script to exfiltrate the token from the default Cloud Build service account and send it to a webhook.
Upon reporting this vulnerability to Google Cloud Platform, the company acknowledged the existence of the ConfusedFunction flaw and implemented partial remediation measures for Cloud Build accounts created after mid-June 2024. However, existing Cloud Build instances remain susceptible to exploitation despite these efforts to address the issue.
This highlights the complexities and potential risks associated with software interactions and inter-service communication within cloud platforms. While Google Cloud Platform has taken steps to improve security by enabling users to select custom service accounts with limited permissions for Cloud Build instances during deployment, the vulnerability still persists in pre-existing instances due to backward compatibility considerations.
To mitigate the risks associated with ConfusedFunction, users are advised to upgrade to the latest version of Cloud Functions, replace legacy Cloud Build service accounts with custom ones featuring minimal necessary permissions, and regularly review and adjust IAM permissions for Cloud Functions and Cloud Build instances to reduce potential attack surfaces.
In conclusion, while Google Cloud Platform has made progress in addressing the ConfusedFunction vulnerability, users must remain vigilant and proactive in implementing patch and mitigation strategies to safeguard their cloud environments against potential breaches and unauthorized access.