Tenable has discovered a ConfusedFunction vulnerability in the Google Cloud Platform (GCP). The company says the vulnerability involves the Google’s Cloud Function serverless compute service and its Cloud Build CI/CD pipeline service. It says Google has remediated ConfusedFunction for future Cloud Build accounts. However, existing Cloud Build instances remain at risk, with immediate evasive action required.
“The ConfusedFunction vulnerability highlights the problematic scenarios that may arise due to software complexity and inter-service communication in a cloud provider’s services,” said Tenable senior research engineer Liv Matan. “To support backward compatibility, GCP has not changed the privileges from Cloud Build service accounts created before the fix was implemented. This means that the vulnerability is still affecting existing instances, and we highly recommend customers take immediate action.”
Cloud Functions in GCP are event-triggered, serverless functions. They automatically scale and execute code in response to specific events like HTTP requests or data changes. When a GCP user creates or updates a Cloud Function, a multi-step backend process is triggered. This process, among other things, attaches a default Cloud Build service account to the Cloud Build instance that is created as part of the function’s deployment. This default Cloud Build service account gives the user excessive permissions. This process happens in the background and isn’t something that ordinary users would be aware of.
An attacker who gains access to create or update a Cloud Function can take advantage of the function’s deployment process to escalate privileges to the default Cloud Build service account and other GCP services including Cloud Storage, and Artifact Registry or Container Registry. By exploiting the deployment flow and the flawed trust between services an attacker could run code as the default Cloud Build service account.
GCP confirmed it had remediated ConfusedFunction, to some extent, for Cloud Build accounts created after February 14, 2024. While the fix has reduced the severity of the problem for future deployments, it hasn’t completely eliminated it. For every cloud function using the legacy Cloud Build service account, the advice is to replace it with a least-privilege service account.
