Ethical Hacking News
Google has recently addressed a critical vulnerability in its Cloud Run service that could have allowed unauthorized access to container images and potentially compromised sensitive data. The vulnerability, codenamed ImageRunner, was discovered by Tenable security researcher Liv Matan and highlights the importance of security and compliance in cloud-based services.
Google Cloud Run service has a critical vulnerability called ImageRunner that allows unauthorized access to container images. An attacker with specific permissions can modify a Cloud Run service and deploy a new revision, potentially accessing sensitive data. The patch released by Google ensures that users have explicit permission to access container images and introduces the Artifact Registry Reader IAM role. The vulnerability highlights the importance of security and compliance in cloud-based services and underscores the need for organizations to carefully manage their permissions.
Google has recently addressed a critical vulnerability in its Cloud Run service, which could have allowed unauthorized access to container images and potentially compromised sensitive data. The vulnerability, codenamed ImageRunner, was discovered by Tenable security researcher Liv Matan, who shared the details with The Hacker News.
According to Matan, the vulnerability arises from the way Cloud Run handles revisions of its services. When a service is deployed or updated, a new version is created, and each time a Cloud Run revision is deployed, a service agent account is used to pull the necessary images. If an attacker gains certain permissions within a victim's project – specifically run.services.update and iam.serviceAccounts.actAs permissions – they could modify a Cloud Run service and deploy a new revision.
In doing so, they could specify any private container image within the same project for the service to pull. This allows the attacker to access sensitive or proprietary images stored in a victim's registries and even introduce malicious instructions that, when executed, could be abused to extract secrets, exfiltrate sensitive data, or even open a reverse shell to a machine under their control.
The patch released by Google now ensures that the user or service account creating or updating a Cloud Run resource has explicit permission to access the container images. When using Artifact Registry, it is recommended that the principal has the Artifact Registry Reader (roles/artifactregistry.reader) IAM role on the project or repository containing the container image(s) to deploy.
Tenable has characterized ImageRunner as an instance of what it calls Jenga, which arises due to the interconnected nature of various cloud services, causing security risks to be passed along. "Cloud providers build their services on top of their other existing services," Matan said. "If one service gets attacked or is compromised, the other ones built on top of it inherit the risk and become vulnerable as well."
This scenario opens the door for attackers to discover novel privilege escalation opportunities and even vulnerabilities, and introduces new hidden risks for defenders.
It's worth noting that this vulnerability comes weeks after Praetorian detailed several ways a lower-privilege principal can abuse an Azure virtual machine (VM) to gain control over an Azure subscription. The attack vectors include executing commands on an Azure VM associated with an administrative managed identity, logging in to an Azure VM associated with an administrative managed identity, attaching an existing administrative user-assigned managed identity to an existing Azure VM and executing commands in that VM, and creating a new Azure VM, attaching an existing administrative managed identity to it, and executing commands in that VM by using data plane actions.
After obtaining the Owner role for a subscription, an attacker may be able to leverage their broad control over all subscription resources to find a privilege escalation path to the Entra ID tenant. This path is predicated on a compute resource in the victim subscription with a service principal having Entra ID permissions that may allow it to escalate itself to Global Administrator.
The disclosure of this vulnerability highlights the importance of security and compliance in cloud-based services. It serves as a reminder for organizations to carefully manage their permissions, monitor their services for suspicious activity, and ensure that their cloud providers are keeping up with the latest security patches and updates.
In conclusion, the recent vulnerability in Google Cloud Run has significant implications for organizations relying on this service. By understanding the nature of the vulnerability and taking steps to mitigate it, businesses can protect themselves against potential attacks and maintain the integrity of their data and applications.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Cloud-Run-Conundrum-A-Privilege-Escalation-Vulnerability-Uncovered-ehn.shtml
https://thehackernews.com/2025/04/google-fixed-cloud-run-vulnerability.html
https://cybersecuritynews.com/google-cloud-platform-privilege-escalation-vulnerability/
Published: Wed Apr 2 11:44:03 2025 by llama3.2 3B Q4_K_M
