Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform’s Cloud Features service that an attacker might exploit to entry different providers and delicate information in an unauthorized method.
Tenable has given the vulnerability the identify ConfusedFunction.
“An attacker might escalate their privileges to the Default Cloud Construct Service Account and entry quite a few providers equivalent to Cloud Construct, storage (together with the supply code of different features), artifact registry and container registry,” the publicity administration firm stated in a press release.
“This entry permits for lateral motion and privilege escalation in a sufferer’s undertaking, to entry unauthorized information and even replace or delete it.”
Cloud Features refers to a serverless execution setting that enables builders to create single-purpose features which might be triggered in response to particular Cloud occasions with out the necessity to handle a server or replace frameworks.
The issue found by Tenable has to do with the truth that a Cloud Construct service account is created within the background and linked to a Cloud Construct occasion by default when a Cloud Perform is created or up to date.
This service account opens the door for potential malicious exercise owing to its extreme permissions, thereby allowing an attacker with entry to create or replace a Cloud Perform to leverage this loophole and escalate their privileges to the service account.
This permission might then be abused to entry different Google Cloud providers which might be additionally created in tandem with the Cloud Perform, together with Cloud Storage, Artifact Registry, and Container Registry. In a hypothetical assault state of affairs, ConfusedFunction may very well be exploited to leak the Cloud Construct service account token by way of a webhook.
Following accountable disclosure, Google has up to date the default conduct such that Cloud Construct makes use of the Compute Engine default service account to stop misuse. Nonetheless, it is value noting that these adjustments don’t apply to present cases.
“The ConfusedFunction vulnerability highlights the problematic eventualities which will come up because of software program complexity and inter-service communication in a cloud supplier’s providers,” Tenable researcher Liv Matan stated.
“Whereas the GCP repair has diminished the severity of the issue for future deployments, it did not utterly remove it. That is as a result of the deployment of a Cloud Perform nonetheless triggers the creation of the aforementioned GCP providers. Because of this, customers should nonetheless assign minimal however nonetheless comparatively broad permissions to the Cloud Construct service account as a part of a operate’s deployment.”
The event comes as Outpost24 detailed a medium-severity cross-site scripting (XSS) flaw within the Oracle Integration Cloud Platform that may very well be weaponized to inject malicious code into the applying.
The flaw, which is rooted within the dealing with of the “consumer_url” parameter, was resolved by Oracle in its Essential Patch Replace (CPU) launched earlier this month.
“The web page for creating a brand new integration, discovered at https://.integration.ocp.oraclecloud.com/ic/integration/house/faces/hyperlink?web page=integration&consumer_url=
“This meant that an attacker would solely must determine the instance-id of the particular integration platform to ship a purposeful payload to any consumer of the platform. Consequently, the attacker might bypass the requirement of figuring out a selected integration ID, which is usually accessible solely to logged-in customers.”
It additionally follows Assetnote’s discovery of three safety vulnerabilities within the ServiceNow cloud computing platform (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) that may very well be normal into an exploit chain in an effort to acquire full database entry and execute arbitrary code on the inside the context of the Now Platform.
The ServiceNow shortcomings have since come underneath energetic exploitation by unknown risk actors as a part of a “international reconnaissance marketing campaign” designed to collect database particulars, equivalent to consumer lists and account credentials, from prone cases.
The exercise, focusing on firms in varied business verticals equivalent to vitality, information facilities, software program growth, and authorities entities within the Center East, may very well be leveraged for “cyber espionage and additional focusing on,” Resecurity stated.
(The story was up to date after publication to incorporate particulars about energetic exploitation of ServiceNow flaws.)
