Design consideration example: Google Cloud Build vulnerability to malicious code injection
Take action: When designing or reviewing an application, consider what details your unauthenticated or shared access endpoints can expose about other components of the system or other users. Because that knowledge can be used as a stepping stone for further attacks.
Learn More
Security researchers have identified a critical vulnerability called Bad.Build in Google Cloud Build. Google Cloud Build is a service for building and storing software artifacts like packages and container images.
The flaw allows attackers to manipulate and inject malicious code into container images stored in Artifact Registry. Any applications using these compromised container images are at risk of being infected with malware, data manipulation, data theft or denial-of-service attacks.
How did this vulnerability come to be:
The vulnerability is primarily a design issue related to default permissions associated with Google Cloud Build. The overly permissive default settings provide attackers with an avenue to access audit logs containing a comprehensive list of permissions for all Google Cloud Platform (GCP) accounts in a specific Google Cloud Build "Project."
So what?
Knowing which GCP account can execute particular actions essentially solves a significant piece of the puzzle for launching an attack - that account can be targeted using spear phishing, extortion, social engineering or a close person to the target can be targeted as an intermediary step to attack.
Executing just three lines of code enables the attacker to build a public Gcloud image on the Cloud Build servers and exploit the Cloud Build Service Account's actions, escalating privileges and executing any allowed action.
In response to the issue, Google issued a fix that removes the logging permission from the default Google Cloud Build service role, thus preventing access to audit logs listing the entire Project's permissions each time changes are made. However, there are several other roles with the cloudbuild.builds.create permission that can be exploited in the same manner.
Google's advisory explained that when users enable the Cloud Build API, the service automatically creates a default service account for executing builds on their behalf. This Cloud Build service account had previously been granted access to private logs by default, but as part of the fix, this permission has been revoked to adhere to the security principle of least privilege.
