Cybersecurity researchers reveal details of the currently patched privilege escalation vulnerability in Google Cloud Platform (GCP) cloud run.
“The vulnerability could have allowed such IDs to exploit Google Cloud Run Revision Edit Permissions, and to pull Google Artifact Registry and Google Container registry images to the same account.”
The downside of security is the codename ImageRunner by the cybersecurity company. Following responsible disclosure, Google addressed the issue as of January 28, 2025.
Google Cloud Run is a fully managed service for running containerized applications in a scalable serverless environment. When used to run a service using technology, container images are retrieved from the Artifact registry (or Docker Hub) for subsequent deployment by specifying an image URL.
The problem is the fact that you lack permissions from the container registry, but have a specific ID in Google Cloud Run Revisions that you are editing permissions.
A new version is created each time a cloud execution service is deployed or updated. It also uses the Service Agent account to pull the required images every time a cloud execution revision is deployed.
“If an attacker obtains certain permissions within the victim’s project, particularly when he obtains run.services.update and iam.serviceaccounts.actas permissions, he can modify the cloud run service and deploy new revisions,” explained Matan. “In doing so they were able to specify private container images within the same project for the service to pull.”
Furthermore, attackers can access sensitive or unique images stored in the victim’s registry and even introduce malicious instructions that can be abused when executed to extract secrets, remove sensitive data, or open the inverse shell to a machine under control.
A patch released by Google guarantees explicit permission for users or service accounts to access container images by creating or updating cloud-run resources.
“Principals (users or service accounts) who create or update cloud run resources now require explicit permission to access container images,” Tech Giant said in their January 2025 Cloud Run release notes.
“If you use the Artifact registry, make sure that the principal has an Artifact registry reader (role/Artifactregistry.reader) role in the repository that contains the container images you want to deploy.”
Tenable characterizes Imagerunner as an instance of what we call Jenga. This occurs due to the interconnected nature of various cloud services, causing security risks.
“Cloud providers build services in addition to other existing services,” says Matan. “If one service is attacked or compromised, the services built on it inherit the risk and become equally vulnerable.”
“This scenario opens the door for attackers to discover new privilege escalation opportunities and vulnerabilities, and introduces new hidden risks to defenders.”
This disclosure comes just a few weeks after Praetorian has detailed several ways in several ways.
Run the command on the Azure VM associated with the Management Management Managed ID to log in to the Azure VM associated with the Management Managed ID.
“After obtaining the subscription owner role, an attacker may be able to broadly control all subscription resources and find a privilege escalation path to an Entra ID tenant.”
“This path is based on the computational resources of victim subscriptions with service principals with ENTRA ID permissions that can escalate to global administrators.”
Source link
