Skip to content

Researchers uncover ConfusedFunction flaw in Google Cloud

  • by
  • 2 min read

Tenable researchers exposed a privilege escalation flaw in Google Cloud Platform’s (GCP) Cloud Functions service that attackers could abuse to access sensitive data and other services without authorisation.

Tenable has termed the vulnerability ‘ConfusedFunction’. Attackers can exploit it to gain higher privileges to the Default Cloud Build Service Account and access several services, such as Cloud Build, storage, artifacts, and container registry.

On Wednesday, the company said that the exploit enables lateral movement and upgraded privileges in a target’s project, allowing them to access unauthorised data and update or delete such data.

Cloud Functions, a serverless execution environment, lets developers create single-purpose functions that run when specific Cloud events take place without the requirement to manage or update the server. When a user creates or updates a cloud function through a backend process, a default Cloud Build service account is attached to the Cloud Build instance.

The default account provides the user with excessive permissions. A threat actor with access to create or update a Cloud Function could use the same process to obtain higher privileges to the default Cloud Build service account.

After researchers reported the vulnerability, GCP confirmed and corrected the ConfusedFunction vulnerability to an extent for accounts created after mid-June 2024; however, the correction did not address existing accounts. Google updated the default behaviour for Cloud Build to use a Compute Engine default service account to prevent exploitation.

“Specifically, to support backward compatibility, GCP has not changed the privileges from Cloud Build service accounts created before the fix was implemented,” said Liv Matan, Tenable researcher.

During Tenable’s research, the researchers found more techniques to leak the default Cloud Build service account token in the backend process.

One method is an NPM build start script. As Cloud Build scripts are also controlled via the source code of Cloud Function, individuals with permissions to create and update functions in the build process can inject malicious code into the start build script.

In late June, Google released additional organisation policies to allow organisations to have full control over which default service account is used by Cloud Build. Cloud service providers use their core services as the foundation for many other services, implying that a few actions in the console could create many different resources that users might not be aware of.

In the News: Microsoft launches Bing Generative Search

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

>