Site icon The IT Nerd

Partial-patch on Google’s Cloud Build bug leaves supply chain risk 


A critical design flaw in the Google Cloud Build service discovered by Orca Security can let attackers escalate privileges, providing them with practically full, unauthorized access to Google Artifact Registry code repositories.

Dubbed Bad.Build, the flaw could permit attackers to infiltrate a Google Cloud Build account to run API calls against the artifact registry and take control over application images allowing them to inject malicious code, resulting in vulnerable applications and supply chain attacks.

The Google Security Team implemented a partial fix after Orca reported the issue by revoking the logging.privateLogEntries.list permission from the default Cloud Build Service Account, which is unrelated to Artifact Registry.

Dave Ratner, CEO, HYAS had this comment:  

“Bad.Build is another example of what seems like a growing number of supply chain attacks.  These can be incredibly difficult to detect, and equally valuable for attackers to quickly spread across multiple organizations.    

“A Protective DNS strategy, deployed across both the corporate and production environments, or wherever the cloud is utilized, can be the early warning signal that anomalous activity is occurring, and can provide the visibility and observability required to implement a business resiliency strategy not just against Bad.Build but against the inevitable supply chain attacks that will follow.”

Hopefully Google does a full fix of this because this a pretty bad vulnerability.

Exit mobile version