A design flaw in Google Cloud Build has been discovered that could potentially allow attackers to escalate privileges and carry out supply chain attacks, according to research conducted by Orca Security. This flaw, named “Bad.Build” by Orca, is a privilege escalation issue that could enable an attacker with access to a victim’s Google Cloud Build environment to exploit default permissions and gain access to code repositories and images in Google Cloud’s Artifact Registry. With this access, the attacker could manipulate code in the victim’s software development environment, leading to a supply chain attack that could impact the victim’s customers.
The flaw was uncovered by Orca during an investigation into the setIamPolicy API call request, which is used in the Google Cloud Platform (GCP) to set different user and group roles. Orca’s security researcher, Roi Nisimi, who discovered the issue, explained in a blog post that whenever the API call is made, “the full Project’s permissions are included in the Message Body Request, not just the ones we edited.” This information is highly valuable for attackers as it simplifies lateral movement and privilege escalation within the environment. Knowing which actions can be performed by each GCP account is akin to finding a crucial piece of the puzzle needed to launch an attack. If this permission map were to fall into the wrong hands, the consequences could be extremely dangerous.
Nisimi highlighted that one of the roles that the API call can list through a logging.privateLogEntries.list action is roles/cloudbuild.builds.builder, which is the default role assigned to a Google Cloud Build service account. By using just three lines of code and a cloudbuild.builds.create permission, which is possessed by multiple developer roles, an attacker could gain unauthorized access to code repositories used in software development. For more technical details, the complete findings are available in Orca’s blog post.
Upon being informed about the Bad.Build flaw, Google’s security team initiated an investigation into the issue and implemented a partial fix. However, this fix does not fully address the privilege escalation vector. The blog post from Orca mentioned that the Google Security Team chose to keep the default permissions of the Google Cloud Build service account unchanged, except for the logging.privateLogEntries.list permission. They stated that these default permissions support the most common development workflows and emphasized that customers are responsible for restricting access for more advanced scenarios. Nisimi indicated that even with the partial mitigation in place, the flaw remains fully exploitable.
Nisimi and Orca advised organizations to carefully monitor the activity of the default Google Cloud Build service account and follow the principle of least privilege to minimize the risk associated with this vulnerability.
In response to the issue, a Google spokesperson informed TechTarget Editorial that the company had established a vulnerability rewards program specifically designed to identify and address vulnerabilities such as this. The spokesperson expressed gratitude for Orca’s participation in the program and the broader security community’s efforts. Google has incorporated a fix based on the report provided by Orca, as outlined in a security bulletin issued in early June.
This discovery highlights the importance for organizations to prioritize security measures and regularly assess potential vulnerabilities in their cloud environments. As cloud services continue to play a significant role in modern business operations, it is crucial for organizations to remain vigilant in their efforts to protect sensitive data and prevent system compromise.