Google Cloud Platform’s ‘ConfusedFunction’ Vulnerability Uncovered by Cybersecurity Researchers

July 25, 2024

Cybersecurity researchers have discovered a privilege escalation vulnerability in the Google Cloud Platform's Cloud Functions service, which has been named 'ConfusedFunction'. This vulnerability could enable an attacker to escalate their privileges to the Default Cloud Build Service Account, thereby gaining unauthorized access to various services such as Cloud Build, storage, artifact registry and container registry.

This unauthorized access could facilitate lateral movement and privilege escalation in a victim's project, enabling the attacker to access, update or even delete unauthorized data. Cloud Functions is a serverless execution environment that allows developers to create specific functions that are triggered in response to specific Cloud events, without the need to manage a server or update frameworks.

The vulnerability stems from the fact that a Cloud Build service account is automatically created and linked to a Cloud Build instance when a Cloud Function is created or updated. This service account, due to its excessive permissions, could be exploited by an attacker to escalate their privileges to the service account.

The attacker could potentially abuse this permission to access other Google Cloud services that are created alongside the Cloud Function, including Cloud Storage, Artifact Registry, and Container Registry. In a hypothetical attack scenario, 'ConfusedFunction' could be exploited to leak the Cloud Build service account token via a webhook.

Google has updated the default behavior to prevent misuse by having Cloud Build use the Compute Engine default service account. However, these changes do not apply to existing instances. The 'ConfusedFunction' vulnerability highlights the potential issues that can arise due to software complexity and inter-service communication in cloud provider's services.

Despite Google's fix reducing the severity of the problem for future deployments, it doesn't entirely eliminate it. This is because the deployment of a Cloud Function still triggers the creation of the aforementioned Google Cloud Platform services. As a result, users still need to assign minimum but relatively broad permissions to the Cloud Build service account as part of a function's deployment.

Additionally, other vulnerabilities have been discovered in the Oracle Integration Cloud Platform and the ServiceNow cloud computing platform (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217), highlighting the ongoing security challenges in the cloud computing industry.

Latest News

• Massive 'PKFail' Secure Boot Bypass Threatens Millions of Devices
• Acronis Alerts Users on Cyber Infrastructure Default Password Exploitation
• Exploitation of Critical ServiceNow Flaws for Data Theft: A Rising Concern
• Critical Remote Code Execution Vulnerability in Telerik Report Server: Urgent Patch Required
• Critical Docker Engine Vulnerability Bypasses Authorization Plugins