Unauthorized access to other services and data could be achieved by threat actors through the exploitation of the new "ConfusedFunction" privilege escalation vulnerability in Google Cloud Platform's Cloud Functions service, The Hacker News reports.
Such a security issue — which stems from the background creation of a Cloud Build service account and its default connection to a Cloud Build instance following Cloud Function creation or updating — could be leveraged by attackers to infiltrate other Google Cloud services, including Container Registry, Cloud Storage, and Artifact Registry, according to Tenable researchers, who discovered and reported the flaw. While Google has already ensured Cloud Build's usage of the Compute Engine default service account to prevent compromise, such a fix doesn't completely resolve the issue and still requires minimum but broad Cloud Build service account permissions, noted Tenable researcher Liv Matan. "The ConfusedFunction vulnerability highlights the problematic scenarios that may arise due to software complexity and inter-service communication in a cloud provider's services," said Matan.
