Orca: Google Cloud design flaw enables supply chain attacks

A Google Cloud Build design flaw allows attackers to escalate privileges and conduct supply chain attacks under the right circumstances, new research from Orca Security claimed.

The design flaw, which cloud security vendor Orca referred to as "Bad.Build," is a privilege escalation issue. An attacker with access to a victim's Google Cloud Build environment could exploit default permissions to access code repositories and images in Google Cloud's Artifact Registry. With this access, the actor could poison code in the victim's software development environment, which could then go downstream and infect the victim's customers -- creating a supply chain attack.

Orca discovered the flaw during research into the setIamPolicy API call request, which in Google Cloud Platform (GCP) is used to set different user and group roles. Orca security researcher Roi Nisimi, who discovered the issue, wrote in the blog post that each time the call is invoked, "the full Project's permissions are included in the Message Body Request, not just the ones we edited."

"What makes this information so lucrative is that it greatly facilitates lateral movement and privilege escalation in the environment," he wrote. "Knowing which GCP account can perform which action, is equal to solving a great piece of the puzzle on how to launch an attack. It would be extremely dangerous if this permission map ended up in the wrong hands."

Nisimi said one of the roles that the call can list through a logging.privateLogEntries.list action is roles/cloudbuild.builds.builder, the default role assigned to a Google Cloud Build service account. And through three lines of code and a cloudbuild.builds.create permission, which a number of developer roles have, an attacker could gain access to code repositories, including those used in software development. Complete technical details are available in Orca's Tuesday blog post.

Nisimi wrote that after Orca reported the Bad.Build flaw to Google, the tech giant's security team investigated the issue and deployed a partial fix. However, it doesn't revoke the privilege escalation vector.

"The Google Security Team informed us that they were going to keep the default permissions of the Google Cloud Build service account the same (except for the logging.privateLogEntries.list permission), mentioning that it supports the most common development workflows, and emphasized that customers are responsible for locking down access for more advanced scenarios," the blog post read.

Nisimi told TechTarget Editorial that the flaw is still fully exploitable even with the partial mitigation.

"You can look at it as something that will probably never be revoked, because it is within the design of [GCP]," he said. "They decided not to revoke it, so it is a risk within the platform that will stay there forever, creating an opportunity and privilege for attackers to escalate privileges."

Nisimi and Orca advised relevant organizations to "pay close attention to the behavior of the default Google Cloud Build service account" and apply the principle of least privilege.

In a statement to TechTarget Editorial, a Google spokesperson said the tech giant created its vulnerability rewards program "specifically to identify and fix vulnerabilities like this one."

"We are appreciative of Orca and the broader security community's participation in these programs," the statement read. "We appreciate the work of the researchers and have incorporated a fix based on their report as outlined in a security bulletin issued in early June."

Alexander Culafi is a writer, journalist and podcaster based in Boston.