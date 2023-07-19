



A newly discovered vulnerability in Google Cloud Build allows attackers to inject malware by tampering with images stored in the Artifact Registry, Google’s repository for hosting software artifacts such as packages and container images.

Applications using these compromised container images are at risk of malware infection, denial of service attacks, data theft, and other adverse effects.

Bad.Build issue

Researchers at Orca Security recently discovered this flaw, dubbed Bad.Build, when analyzing application programming interface (API) call requests associated with Google Cloud Platform resources. They reported the issue to Google, who investigated the issue and issued a fix in June.

However, Orca said in a report this week that the fix falls short and only partially addresses the vulnerability.

Orca cloud threat researcher Roi Nisimi said, “This flaw poses a significant risk to the supply chain as it allows attackers to maliciously tamper with application images, which could potentially infect users or customers as they install applications.” “As we have seen with SolarWinds and the recent 3CX and MOVEit supply chain attacks, this can have far-reaching implications.”

According to Orca, the Bad.Build flaw is actually a design issue and has to do with the default permissions associated with the Google Cloud Build service. The excessive privileges associated with this service give adversaries a relatively easy way to access the audit log, which contains the complete list of privileges associated with all GCP accounts within a Google Cloud Build “project”.

“What makes this information so lucrative is that it greatly facilitates lateral movement and privilege escalation within the environment,” Nishimi said. “Knowing which of her GCP accounts can perform which actions is like solving a big piece of the puzzle on how to launch an attack.”

Orca researchers found that by using a GCP account with permissions to create new builds (cloudbuild.builds.create), it was relatively easy to impersonate the Cloud Build Service account and view all project permissions. “An attacker would need access to the cloudbuild.builds.create privilege, which could be obtained by an insider, or by an outsider who gains unauthorized access to a user with this privilege,” Nisimi said in his Dark Reading comments.

easy to exploit

“With just three lines of code, you can build a public Gcloud image on your Cloud Build server and run the commands shown in the proof of concept to elevate a user’s privileges and perform any action that the Cloud Build service account is allowed to do,” he says.

Google’s fix for Bad.Build removed the logging permission from the default Google Cloud Build service role. That means certain services won’t have access to audit logs that list project-wide permissions every time a change is made, Nisimi said.

However, there is a full list of other roles with cloudbuild.builds.create permissions that can do the same thing. Anyone with the cloudbuild.builds.create permission can elevate their privileges and perform a wide range of actions, including manipulating images and injecting malicious code into images, unless an organization specifically revokes the default permissions for the Google Cloud Build service.

A Google spokesperson said little about the flaw or the fix claim. “We appreciate the efforts of the researchers and have incorporated fixes based on their reports outlined in a security bulletin published in early June,” he said.

Permission restrictions

According to Google’s advisory for this vulnerability, when a user enables the Cloud Build API on a project, Cloud Build automatically creates a default service account to run builds on the user’s behalf. This Cloud Build service account previously allowed builds access to private logs by default, but as stated in the June 8th security bulletin, “In compliance with the security principle of least privilege, this permission has been revoked from the Cloud Build service account.”

According to Nisimi, Google’s position seems to be that the default permissions that organizations choose to enable for Cloud Build are the problem. “Google is aware of the risks of supply chain attacks like the ones mentioned above, but we believe it revolves around default permission choices that support the most common development workflows,” he said.

Google’s stance is that it is the customer’s responsibility to further lock down access for more advanced scenarios. “The supply chain risk is therefore persistent and organizations should restrict cloudbuild.builds.create permissions as much as possible to mitigate the risk of supply chain attacks,” says Nishimi.

