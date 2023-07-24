



Researchers have discovered a critical security design flaw in Google Cloud Build, dubbed “Bad.Build”. This design flaw could allow an attacker to modify an organization’s code repositories and application images.

Security researchers published information about the vulnerability, issued a warning, and highlighted its potential to facilitate supply chain attacks similar to SolarWinds and MOVEit, with widespread and severe impact.

After receiving reports of this vulnerability, Google implemented a fix immediately. However, according to Orca researcher Roi Nisimi, the fix is ​​only partial and does not completely solve the problem.

What causes Google Cloud Build issues?

Google Cloud Build is a managed continuous integration and delivery (CI/CD) service. It allows users to automate the process of building, testing and deploying software across a variety of programming languages. Google Cloud Build can be integrated with services such as Artifact Registry, Google Kubernetes Engine, and App Engine.

Cloud Build relies on service accounts to authenticate requests made during the build process. This issue identified by Google is primarily due to improperly defined permissions.

Who is affected by Google Cloud Build design flaws?

The potential impact can be wide-ranging and applies to all organizations using Artifact Registry as their main or secondary image repository. The first direct impact is breaking applications that rely on these images. This can lead to denial of service (DoS) attacks, data theft, and spreading malware to users.

Additionally, if malicious applications are intended to be deployed in customer environments, the risk extends beyond the infrastructure of the supplying organization, resulting in supply chain attacks.

How do Google Cloud Build flaws work?

Orca researchers discovered that enabling the Cloud Build API on a project automatically creates a default service account for running builds. Until June, there was a flaw that allowed builds to access private audit logs containing the full list of project permissions.

Researchers discovered a design flaw within the Google Cloud Build service that allowed an attacker to elevate privileges and thereby gain unauthorized access to code repositories within Google’s Artifact Registry. An attacker who exploited this flaw by impersonating her default Cloud Build service account could manipulate images stored in Google’s Artifact Registry and inject malicious code.

When asked about Orca’s partial fix claim, a Google spokesperson only mentioned the vulnerability bounty program and thanked the researchers for their cooperation.

Google said it incorporated a fix based on the researchers’ report in a security bulletin issued in early June, suggesting it would not roll out a new fix. This fix involves removing one of his permissions from his default Cloud Build service account. However, the revoked permission was irrelevant to the Artifact Registry, turning the supply chain risk into a permanent one.

Organizations should closely monitor the behavior of the default Google Cloud Build service account and effectively manage the account according to Identity and Access Management (IAM) controls. Nishimi emphasized the importance of applying the principle of least privilege to reduce organizational risk.

Proof-of-Concept Exploit for Supply Chain Attacks

A supply chain attack proof of concept (PoC) includes the following steps:

Privilege escalation: An attacker can use cloudbuild.builds.create to gain elevated privileges to create builds using the Google Cloud Build service run by the default Cloud Build service account. Gaining access to the Artifact Registry: The attacker impersonates her Cloud Build service account and gains permission to make her API calls against the Artifact Registry. Image extraction: Attackers use artifact registry privileges to download and extract images used by Google Kubernetes Engine (GKE). Image infection and push: The attacker injects malicious code into the image and pushes it back to the artifact registry. The compromised image is redeployed to her GKE. Supply chain attacks and remote code execution: After deploying a malicious image, attackers can exploit it to gain root access and allow remote code execution on Docker containers. Google Cloud Build Vulnerability Kill Chain (source) How does SOCRadar help?

SOCRadar’s Cloud Security module helps organizations monitor and protect their cloud storage assets. It can discover new cloud storage belonging to you, monitor the status of buckets, and send alerts when there are changes.

SOCRadar Cloud Security module for Attack Surface Management

Meanwhile, SOCRadar’s Supply Chain Intelligence module can help you monitor the third-party components your organization uses. Alert your security team to possible dangers with the latest news.

SOCRadar Supply Chain Intelligence Module

Sources 1/ https://Google.com/ 2/ https://socradar.io/google-partially-patches-cloud-builds-critical-design-flaw-bad-build/

