Tenable reveals privilege risk in Google Cloud Composer flaw

Tenable Research has disclosed details of a privilege escalation vulnerability in Google Cloud Composer that could have enabled attackers to gain unauthorised access to critical cloud resources.

The vulnerability, referred to as ConfusedComposer, was found to affect Google Cloud Composer environments by allowing users with limited permissions to exploit the integration between Composer and Google Cloud Build, Google's continuous integration and delivery service.

Tenable reported that attackers possessing edit permissions in Cloud Composer could take advantage of Composer's use of the default Cloud Build service account, which is configured with broad privileges across Google Cloud Platform (GCP) services. By injecting a malicious Python package during the installation process, attackers could escalate their privileges and assume the identity of the Cloud Build service account.

Once in control of this service account, a threat actor would have access to several critical GCP resources, including Cloud Build, Cloud Storage, and Artifact Registry. This access could be used to steal data, inject malicious code into software build pipelines, establish persistence through hidden backdoors, or escalate privileges further to potentially take full control of a GCP project.

ConfusedComposer is described as a variant of a previously discovered vulnerability known as ConfusedFunction, illustrating how the interconnected nature of cloud services can contribute to the development of new exploitation methods based on existing weaknesses.

Tenable used the term "Jenga Concept" to describe this phenomenon, where security weaknesses in one cloud service layer can cascade into others because of intertwined dependencies.

"When you play the Jenga game, removing one block can make the whole tower unstable," said Liv Matan, Senior Security Researcher at Tenable. "Cloud services work the same way. If one layer has risky default settings, then that risk can spread to others, making security breaches more likely to happen."

The vulnerability has been addressed by Google, and no further action is required from users to mitigate the issue in existing environments. However, Tenable's findings highlight a broader concern for organisations relying on cloud service ecosystems comprised of stacked and interdependent services.

Tenable outlined specific impacts that could result from exploitation of ConfusedComposer. Potential consequences include theft of sensitive data, compromise of CI/CD pipelines, establishment of persistent unauthorised access methods, and total takeover of affected Google Cloud projects.

In terms of security best practices, Tenable recommended that organisations enforce the principle of least privilege to minimise unnecessary permission inheritance, map hidden service dependencies using tools such as Jenganizer, and conduct regular log reviews to identify suspicious access attempts.

"The discovery of ConfusedComposer highlights the need for security teams to uncover hidden cloud interactions and enforce strict privilege controls. As cloud environments become more complex, it's crucial to identify and address risks before attackers take advantage of them," added Matan.

The disclosure of ConfusedComposer draws attention to the increasing complexity and interconnectivity in cloud platform security, suggesting that teams must proactively assess potential privilege escalation paths and inherited risks in their cloud architectures.