Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform’s Cloud Features service that an attacker might exploit to entry different companies and delicate knowledge in an unauthorized method.
Tenable has given the vulnerability the identify ConfusedFunction.
“An attacker might escalate their privileges to the Default Cloud Construct Service Account and entry quite a few companies reminiscent of Cloud Construct, storage (together with the supply code of different capabilities), artifact registry and container registry,” the publicity administration firm mentioned in an announcement.
“This entry permits for lateral motion and privilege escalation in a sufferer’s mission, to entry unauthorized knowledge and even replace or delete it.”
Cloud Features refers to a serverless execution setting that enables builders to create single-purpose capabilities which might be triggered in response to particular Cloud occasions with out the necessity to handle a server or replace frameworks.
The issue found by Tenable has to do with the truth that a Cloud Construct service account is created within the background and linked to a Cloud Construct occasion by default when a Cloud Perform is created or up to date.
This service account opens the door for potential malicious exercise owing to its extreme permissions, thereby allowing an attacker with entry to create or replace a Cloud Perform to leverage this loophole and escalate their privileges to the service account.
This permission might then be abused to entry different Google Cloud companies which might be additionally created in tandem with the Cloud Perform, together with Cloud Storage, Artifact Registry, and Container Registry. In a hypothetical assault state of affairs, ConfusedFunction could possibly be exploited to leak the Cloud Construct service account token through a webhook.
Following accountable disclosure, Google has up to date the default habits such that Cloud Construct makes use of the Compute Engine default service account to forestall misuse. Nevertheless, it is value noting that these adjustments don’t apply to present situations.
“The ConfusedFunction vulnerability highlights the problematic eventualities which will come up because of software program complexity and inter-service communication in a cloud supplier’s companies,” Tenable researcher Liv Matan mentioned.
“Whereas the GCP repair has diminished the severity of the issue for future deployments, it did not fully eradicate it. That is as a result of the deployment of a Cloud Perform nonetheless triggers the creation of the aforementioned GCP companies. Because of this, customers should nonetheless assign minimal however nonetheless comparatively broad permissions to the Cloud Construct service account as a part of a perform’s deployment.”
The event comes as Outpost24 detailed a medium-severity cross-site scripting (XSS) flaw within the Oracle Integration Cloud Platform that could possibly be weaponized to inject malicious code into the applying.
The flaw, which is rooted within the dealing with of the “consumer_url” parameter, was resolved by Oracle in its Vital Patch Replace (CPU) launched earlier this month.
“The web page for creating a brand new integration, discovered at https://<instanceid>.integration.ocp.oraclecloud.com/ic/integration/dwelling/faces/hyperlink?web page=integration&consumer_url=<payload>, didn’t require some other parameters,” security researcher Filip Nyquist mentioned.
“This meant that an attacker would solely have to establish the instance-id of the precise integration platform to ship a useful payload to any person of the platform. Consequently, the attacker might bypass the requirement of understanding a selected integration ID, which is usually accessible solely to logged-in customers.”
It additionally follows Assetnote’s discovery of three security vulnerabilities within the ServiceNow cloud computing platform (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) that could possibly be long-established into an exploit chain to be able to acquire full database entry and execute arbitrary code on the throughout the context of the Now Platform.
