Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation

-

 

 


 

On July 19, 2023, cybersecurity researchers made a concerning discovery regarding a privilege escalation vulnerability in Google Cloud. Termed "Bad.Build," the flaw could potentially allow malicious actors to tamper with application images and infect users, resulting in supply chain attacks.

The vulnerability is found in the Google Cloud Build service and was identified by cloud security firm Orca, which subsequently reported the issue. By exploiting this flaw, attackers can impersonate the default Cloud Build service, granting them the ability to manipulate images in the Google Artifact Registry and inject malicious code. Any applications built from these manipulated images could then be affected. The risk extends beyond the supplying organization's environment, potentially impacting their customers' environments, presenting a significant supply chain risk.

Upon responsible disclosure, Google has issued a partial fix. However, the privilege escalation vector has not been entirely eliminated, with Google classifying it as a low-severity issue. As a result, no further customer action is currently required.

The root of the problem lies in Cloud Build's automatic creation of a default service account to carry out builds on behalf of users' projects. This service account comes with excessive permissions, including access to audit logs containing a complete list of all permissions on the project. This information is valuable to attackers as it facilitates lateral movement and privilege escalation within the environment.

To exploit the vulnerability, a malicious actor can abuse permissions obtained through other means to impersonate the Google Cloud Build service account and gain elevated privileges. They can then exfiltrate an image used in Google Kubernetes Engine (GKE) and alter it to incorporate malware. Once the malicious image is deployed, the attacker can run code on the docker container as root, potentially leading to severe consequences.


 

Google's patch focuses on revoking the "logging.privateLogEntries.list" permission from the Cloud Build service account, thereby preventing default access to enumerate private logs.

It's worth noting that this is not the first time privilege escalation flaws impacting the Google Cloud Platform have been reported. In 2020, various techniques were detailed by Gitlab, Rhino Security Labs, and Praetorian that could be exploited to compromise cloud environments.

To mitigate possible risks, customers are advised to monitor the behavior of the default Google Cloud Build service account for any potential malicious activity and apply the principle of least privilege (PoLP) to limit unnecessary access and privileges.

Comments

Post a Comment

Popular posts from this blog

How to Repair Kali Linux grub after installing Windows in Dual boot System

-
Image
If your System has primary OS Windows then you install your secondary OS Kali Linux. That will be OK, Kali Linux puts boot entry of Windows automatically for you. At initial boot menu you can see both OS entry to boot. If your windows is corrupt in dual boot system or if you want to install windows as secondary OS after installing Kali Linux as primary OS. You may face corrupt boot-loader menu. You wont be able to boot Kali Linux any more because Windows wont put entry of Kali Linux automatically in their boot menu. So this post motive is to help those guys which are facing those problems subjecting to corrupt Boot-loader. There are mainly two methods: 1. Repair Grub via Kali Linux live USB. 2. Repair Grub Via Boot-rapair-disk. Method 1# Repair Grub via Kali Linux live USB It is up to you which you want to choose but if you are Linux familiar then go for this method. Requirements 1. A Kali Linux ISO image. You can download here: Download Kali Linux
Read more

PDFCrack - Password Cracking Tool for PDF-files

-
Image
PDFcrack is a GNU/Linux tool for cracking password protected PDF files. It is a very small command line application. It is not preinstalled in kali linux. We can install through command line. For installing pdfcrack open a terminal and enter apt install pdfcrack Syntax and options Usage: pdfcrack -f filename [OPTIONS]           : pdfcrack -f filenmae -w passwordfile.txt OPTIONS : -b, --bench perform benchmark and exit -c, --charset=STRING Use the characters in STRING as charset -w, --wordlist=FILE Use FILE as source of passwords to try -n, --minpw=INTEGER Skip trying passwords shorter than this -m, --maxpw=INTEGER Stop when reaching this passwordlength -l, --loadState=FILE Continue from the state saved in FILENAME -o, --owner Work with the ownerpassword -u, --user Work with the userpassword (default) -p, --password=STRING Give userpassword to speed up breaking ownerpassword (implies -o) -q, --quiet Run quietly -s,
Read more

Avet – Open Source Anti-Virus Evasion Tool

-
Image
When we want to perform an exploitation to a windows target, we need a payload that is undetectable to Antivirus Solutions. Msfvenom on its own is not enough. So we need an AV evasion tool to make this easy for us. Avet is a tool for building exe files with shellcode payloads for antivirus evasion. Installing Avet First clone the repository to our machine. git clone https://github.com/govolution/avet.git   After that go inside the folder and run the setup file to install wine and other missing components. cd avet/       Run the setup file to install the missing components.   ./setup.sh     Select create  for new installation   Running Avet There are two ways to run avet. Run avet by typing the command below. python avet_fabric.py   There are two ways to run avet. Either by compiling the make_avet script as shown below, or by  running the avet_fabric.py script, as shown. gcc -0 make_avet make_avet.c
Read more