What is the ConfusedFunction vulnerability?

The ConfusedFunction vulnerability is a privilege escalation vulnerability in Google Cloud Platform's (GCP) Cloud Functions service discovered by Tenable cybersecurity researchers. It allows attackers to gain unauthorized access to other services and sensitive data within a victim's GCP project.

What services can an attacker access through this vulnerability?

An attacker exploiting the ConfusedFunction vulnerability can access multiple GCP services, including Cloud Build, Cloud Storage (potentially including source code of other functions), Artifact Registry, and Container Registry.

What are the potential impacts of the ConfusedFunction vulnerability?

The potential impacts include unauthorized access to sensitive data, lateral movement within the victim's project, and further privilege escalation. This enables the attacker to read, update, or delete unauthorized data. An attack scenario could involve leaking the Cloud Build service account token via a webhook.

Advisory

Tenable reports possible compromise vector in Google Cloud Functions

Q: How does the ConfusedFunction vulnerability work?

The vulnerability arises due to the default creation and linking of a Cloud Build service account when a Cloud Function is created or updated. This service account, having excessive permissions, can be exploited by an attacker with access to create or update a Cloud Function. This allows the attacker to escalate their privileges to the Default Cloud Build Service Account and access multiple GCP services, including Cloud Build, Cloud Storage, Artifact Registry, and Container Registry.

published: July 25, 2024

Take action: If your Google Cloud deployment uses Google Cloud Functions, you are at risk of hackers attacking the services and moving around. Unfortunately Google didn't fix currently deployed instances. If you want to lock down this risk, you will need to re-deploy your Google Cloud Functions instance - which is not a trivial thing for a production platform. At least go through the analysis carefully and make an educated decision.

Learn More

Tenable cybersecurity researchers have uncovered a privilege escalation vulnerability in Google Cloud Platform's (GCP) Cloud Functions service, named ConfusedFunction.

The vulnerability allows attackers to gain unauthorized access to other services and sensitive data within a victim's GCP project. It's due to the default creation and linking of a Cloud Build service account when a Cloud Function is created or updated.

This service account, having excessive permissions, can be exploited by an attacker with access to create or update a Cloud Function. By using this loophole, an attacker can escalate their privileges to the Default Cloud Build Service Account and subsequently access multiple GCP services, including:

Cloud Build
Cloud Storage (potentially including source code of other functions)
Artifact Registry
Container Registry

This level of access permits lateral movement and further privilege escalation within the victim’s project, enabling the attacker to read, update, or delete unauthorized data. A specific attack scenario could involve leaking the Cloud Build service account token via a webhook.

Google has updated the default behavior to use the Compute Engine default service account for Cloud Build to mitigate potential misuse. However, these changes do not apply to existing instances, and deploying a Cloud Function still creates the associated GCP services.

While Google's fix reduces the severity for future deployments, it does not completely resolve the issue due to the inherent permissions required for Cloud Function deployments.

Tenable reports possible compromise vector in Google Cloud Functions

Read More
Socket Security reports 60 malicious npm packages exfiltrating …
Critical Remote Code Execution Vulnerability Reported in Python …
Researchers from Aqua report AWS vulnerabilities
Flaw in NVIDIA Isaac Lab enables remote code …
Critical vulnerabilities reported in Chaos Mesh tool for …