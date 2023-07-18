



A new Orca Security investigation reveals a design flaw in Google Cloud Build that, under the right circumstances, allows attackers to elevate privileges and carry out supply chain attacks.

This design flaw, dubbed “Bad.Build” by cloud security vendor Orca, is a privilege escalation issue. An attacker with access to the victim’s Google Cloud Build environment could exploit default privileges to access code repositories and images in her Artifact Registry on Google Cloud. This access allows the attacker to poison code in the victim’s software development environment, which can reach downstream and infect the victim’s customers, triggering a supply chain attack.

Orca discovered this flaw while investigating setIamPolicy API call requests used to set roles for various users and groups on Google Cloud Platform (GCP). Orca security researcher Roi Nisimi, who discovered the issue, wrote in a blog post that “full project permissions are included in the message body request, not just what you edited” each time the call is invoked.

“The reason this information is so lucrative is that it greatly facilitates lateral movement and privilege escalation within the environment,” he wrote. “Knowing which his GCP account can perform which actions is like solving a big piece of the puzzle on how to launch an attack.

Nisimi mentioned that one of the roles that can be listed in a call through the logging.privateLogEntries.list action is role/cloudbuild.builds.builder which is the default role assigned to the Google Cloud Build service account. An attacker could then gain access to code repositories, including those used in software development, via three lines of code and the cloudbuild.builds.create privilege that many developer roles have. Full technical details can be found in Orca’s Tuesday blog post.

Nisimi wrote that after Orca reported the Bad.Build flaw to Google, the tech giant’s security team investigated the issue and deployed a partial fix. However, the privilege escalation vector is not revoked.

“The Google Security team informed us that they intend to keep the default permissions for the Google Cloud Build service account (except for the logging.privateLogEntries.list permission) the same, citing that they support the most common development workflows, and stressing that it is the customer’s responsibility to lock down access in more advanced scenarios,” the blog post reads.

Nisimi told the TechTarget editorial that even with partial mitigation, the flaw is still fully exploitable.

“It can probably be considered something that can never be undone, because it is within the scope of the plan.” [GCP]”They decided not to revoke it, so the risk in the platform would remain forever, creating opportunities and privileges for attackers to elevate their privileges,” he said.

Nisimi and Orca advised relevant organizations to “pay close attention to the behavior of the default Google Cloud Build service account” and apply the principle of least privilege.

In a statement to the TechTarget editorial, a Google spokesperson said the tech giant created a vulnerability bounty program “specifically to identify and fix vulnerabilities like this one.”

“We thank Orca and the broader security community for their participation in these programs,” the statement reads. “We appreciate the efforts of the researchers and have incorporated fixes based on their reports outlined in a security bulletin published in early June.”

