A critical design flaw in the Google Cloud Build service discovered by Orca Security can let attackers escalate privileges, providing them with practically full, unauthorized access to Google Artifact Registry code repositories.
Dubbed Bad.Build, the flaw could permit attackers to infiltrate a Google Cloud Build account to run API calls against the artifact registry and take control over application images allowing them to inject malicious code, resulting in vulnerable applications and supply chain attacks.
- “The first and immediate impact is disrupting the applications relying on these images. This can lead to DOS, data theft and spreading malware to users.
- “As we have seen with the SolarWinds and recent 3CX and MOVEit supply chain attacks, this can have far reaching consequences,” said Orca security researcher Roi Nisimi.
The Google Security Team implemented a partial fix after Orca reported the issue by revoking the logging.privateLogEntries.list permission from the default Cloud Build Service Account, which is unrelated to Artifact Registry.
- “[…] Google’s fix doesn’t revoke the discovered Privilege Escalation vector. It only limits it – turning it into a design flaw that still leaves organizations vulnerable to the larger supply chain risk,” Nisimi said.
Dave Ratner, CEO, HYAS had this comment:
“Bad.Build is another example of what seems like a growing number of supply chain attacks. These can be incredibly difficult to detect, and equally valuable for attackers to quickly spread across multiple organizations.
“A Protective DNS strategy, deployed across both the corporate and production environments, or wherever the cloud is utilized, can be the early warning signal that anomalous activity is occurring, and can provide the visibility and observability required to implement a business resiliency strategy not just against Bad.Build but against the inevitable supply chain attacks that will follow.”
Hopefully Google does a full fix of this because this a pretty bad vulnerability.