ImageRunner: critical privilege escalation vulnerability in Google Cloud Platform
Take action: You can't do much about this flaw. But keep tabs on it so you can evaluate the vendor and their security.
Learn More
Tenable Research has discovered and reported a critical privilege escalation vulnerability in Google Cloud Platform (GCP) dubbed "ImageRunner." This vulnerability has been fixed as of January 28, 2025.
The flaw affected identities that had edit permissions on Google Cloud Run revisions but lacked registry permissions, allowing them to abuse their privileges to access private container images.
The vulnerability was not assigned a specific CVE identifier or CVSS score in the report. It enabled attackers with specific permissions to gain unauthorized access to private container images stored in Google Artifact Registry and Google Container Registry within the same account.
The exploit leveraged Cloud Run's deployment process, targeting how the service agent pulls container images. Attackers with run.services.update and iam.serviceAccounts.actAs permissions could modify a Cloud Run service to deploy a new revision specifying any private container image within the project, effectively bypassing the normally required permissions:
- Storage Object Viewer
- Artifact Registry Reader
The attack method involved controlling an identity with run.services.update and iam.serviceAccounts.actAs permissions, then updating a running Cloud Run service and editing a new revision, specifying a private container to hijack in the same project and injecting malicious instructions as arguments or commands in the service configuration. When the updated container runs, the malicious code executes, compromising the container image
The vulnerability potentially allowed attackers to:
- Access sensitive or proprietary container images
- Extract secrets stored within private images
- Exfiltrate sensitive data
- Potentially gain access to internal Google images (though this was not confirmed in testing)
Google fixed this vulnerability by implementing a validation check to ensure that the principal (user or service account) creating or updating a Cloud Run resource has explicit permission to access the container image(s). Now, when using Artifact Registry, the principal must have the Artifact Registry Reader (roles/artifactregistry.reader) IAM role on the project or repository containing the container image(s) to deploy.
The fix was fully rolled out to production on January 28, 2025. Google notified affected Project, Folder, and Organization owners via a Mandatory Service Announcement during the last week of November 2024 and documented the breaking change in their Release Notes.
