Tenable reveals GCP vulnerability

Tenable Research has discovered a privilege escalation vulnerability within Google Cloud Platform capable of allowing malicious actors to bypass permissions and access private container images.

The vulnerability, which has since been patched, involved identities that lack registry permissions but have edit permissions on Google Cloud Run revisions. Tenable has named the exploit ‘ImageRunner’.

Exploiting the vulnerability could have allowed identities to abuse the revision edit permissions in order to pull private Google Artifact Registry and Google Container Registry images in the same account, Tenable Senior Security Researcher Liv Matan revealed in a blog post.

Google’s Cloud Run is a fully managed service for running containerised applications in serverless environments, while Container Registry was depreciated in favour of Artifact Registry, with both services designed to store and manage container images. When Cloud Run is used, it retrieves a container image from the registry and uses it to deploy an application.

Through the vulnerability, if an attacker gained permissions within a victim’s project they would have been able to modify a Cloud Run service and deploy a new revision, and in doing so specify any private container image within the same project for the service to pull. This could potentially have allowed attackers to access sensitive or proprietary images by bypassing permissions required to pull private images from the registry.

By adding instructions during the service updates injected as arguments or commands within the service configuration, the malicious code would execute, potentially compromising the container image, Matan said.

He said the exploit identifies what Tenable has coined the Jenga Concept after the popular block game, which refers to the tendency for cloud providers to build services on top of one another, resulting in security risks in one layer cascading into other services.

“In the game of Jenga, removing a single block can undermine the entire structure,” he said. “Cloud services function similarly; if one component has risky default settings, those risks can trickle down to dependent services, increasing the risk of security breaches.”

The exploit could also potentially have enabled attackers to exfiltrate critical data for cyber espionage or other malicious activities.

While Google has remediated the vulnerability, Tenable is recommending organisations follow the least privilege model to prevent unnecessary permission inheritance. It is also best practice to map hidden dependencies between cloud services, and regularly review logs to detect suspicious access patterns, Matau said.

“The discovery of ImageRunner reinforces the need for proactive cloud security measures. As cloud environments grow more complex, security teams must anticipate and mitigate risks before attackers exploit them,” he said.

Image credit: iStock.com/BlackJack3D