Cloud security firm Orca Security has discovered a critical design flaw in the Google Cloud Build service that could allow attackers to escalate their privileges, allowing them to gain unauthorized access to the Google Component Registry ( Google Artifact Registry) repository.
Dubbed "Bad.Build," the vulnerability could allow a threat actor to impersonate a Google Cloud Build Management service account, run API calls against the artifact registry, and take control of application images.
This way, they can inject malicious code that can deploy malware in customer environments, leading to potential supply chain attacks.
Orca security researcher Roi Nisimi said: Potential threats may be varied, and all organizations using component registries as primary or secondary mirror repositories should be vigilant.
The most immediate impact is breaking applications that depend on these images. This can also lead to DOS, data theft and spreading malware to users. As we've seen with SolarWinds and more recently with the 3CX and MOVEit supply chain attacks, this can have far-reaching consequences.
Orca Security's attack leverages cloudbuild.builds.create to escalate privileges, allowing attackers to tamper with Google Kubernetes Engine (GKE) docker images using artifact registry privileges and run code inside docker containers as root.
After Orca Security reported the issue, the Google security team implemented a partial fix by revoking the logging.privateLogEntries.list permission in the default Cloud Build Service account that was not related to the Artifact Registry.
However, this measure does not directly address the underlying vulnerabilities in the Artifact Registry, and the risks of privilege escalation and supply chain attacks still exist.
Therefore, enterprises must pay close attention to Google Cloud's behavior in building service accounts. Reduce risk by applying the "Principle of Least Privilege" and implementing cloud detection and response capabilities to identify anomalies.
On July 18, EST, Google issued the following statement:
We created a bug bounty program specifically to identify and fix similar vulnerabilities. We are very grateful to Orca and the wider security community for participating in these initiatives. We thank the researchers for their work and based on their reports a fix has been included in a security bulletin published in early June.