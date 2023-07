The researchers warn that the permissions associated with Google Cloud’s Google Cloud Build service can be easily exploited by attackers with access to regular accounts to elevate privileges and poison container images used in production. Google Cloud Build is a CI/CD platform that enables organizations and developers to perform code building tasks in various programming languages ​​on Google Cloud. The service supports importing source code from repositories and cloud storage locations, building code based on configured specifications, and producing artifacts such as container images that can be deployed directly into production.

Cloud Build integrates with other Google Cloud services such as Artifact Registry, Google Kubernetes Engine, and App Engine. So powerful features and access are possible. Some predefined user roles in Google Cloud already include some of the permissions required to call Cloud Build service functions, but some of these permissions can also be assigned individually to users, groups, and service accounts.

One of these privileges discovered by Orca Security researchers can be abused for privilege escalation and is called cloudbuild.builds.create. As the name suggests, it can be used to create new builds using the Cloud Build Service. Orca researchers say that in an environment that uses Cloud Build as his main CI/CD platform, it makes a lot of sense for an organization to have a user with this privilege. In fact, not only administrator-level roles, but several default roles also have this capability, including developer-related roles such as dataflow.developer.

Privilege escalation leading to supply chain compromise

In a supply chain attack scenario, an attacker with access to a less privileged account attempts to find paths that allow access to source code or resources (such as binary artifacts) that organizations use to develop and build apps before they are deployed. According to Orca Security, the cloudbuild.builds.create permission does just that.

“By exploiting this flaw, which allows us to impersonate the default Cloud Build service account, an attacker can manipulate images in Google’s Artifact Registry and inject malicious code,” the Orca researchers said. “Any application built from the manipulated image is affected, with potential consequences such as denial of service (DoS) attacks, data theft, and malware spreading. Worse, if the rogue application is intended to be deployed in a customer environment (on-premises or semi-SaaS), the risk spreads from the supplying organization’s environment to the customer’s environment, constituting a supply chain attack similar to what happened in the SolarWinds and MOVEit incidents.”

Orca researchers dubbed the proof-of-concept attack vector Bad.Builds, but actually discovered another issue during their investigation. They observed that every time they updated access to a Google Cloud Platform (GCP) resource using the setIamPolicy API method, all permissions for the project were included in the message body and stored in the audit logs.

