Ethical Hacking News
The vulnerability landscape has taken a hit in recent weeks, with several high-profile discoveries leaving experts scrambling to patch and protect against. A new vulnerability in Google Cloud Platform (GCP) that could enable an attacker to elevate their privileges in the Cloud Composer workflow orchestration service stands out as particularly concerning.
In this article, we will delve deeper into the details of ConfusedComposer, explore its potential impact, and discuss the broader implications for cloud security. We'll also examine other recent discoveries in the field, including vulnerabilities in Microsoft Azure, Microsoft Entra ID, and AWS EC2 instances.
A vulnerability in Google Cloud Platform's (GCP) Cloud Composer service could allow an attacker to elevate their privileges and gain access to sensitive data.The "ConfusedComposer" vulnerability was discovered and disclosed by Tenable researcher Liv Matan and patched by Google in April 2025.The flaw allows an attacker with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, gaining high-level permissions across GCP services.Google has addressed the vulnerability by eliminating the use of the Cloud Build service account for installing packages and instead using the environment's service account.The potential impact of ConfusedComposer is significant, allowing an attacker to siphon sensitive data, disrupt services, and deploy malicious code within CI/CD pipelines.
In recent weeks, the cybersecurity community has been abuzz with news of several high-profile vulnerabilities that have left experts scrambling to patch and protect against. Among these, a vulnerability in Google Cloud Platform (GCP) that could enable an attacker to elevate their privileges in the Cloud Composer workflow orchestration service stands out as particularly concerning.
According to researchers at Tenable, the vulnerability, codenamed "ConfusedComposer," was discovered and disclosed by the company's senior security researcher, Liv Matan. The flaw, which was patched by Google in April 2025, could have allowed an attacker with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, thereby gaining high-level permissions across GCP services such as Cloud Build itself, Cloud Storage, and Artifact Registry.
The vulnerability, which is a variant of "ConfusedFunction," a privilege escalation vulnerability impacting GCP's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner, highlights the ongoing issue of inherited security issues from one cloud service to another. This concept, known as the "Jenga" effect, can cause significant damage if not addressed promptly by cloud service providers.
In a statement announcing the patch for ConfusedComposer, Google explained that it had eliminated the use of the Cloud Build service account to install PyPI packages in environments where users could inject malicious Python Package Index (PyPI) packages. Instead, the company would be using the environment's service account to install packages.
"This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account," Matan explained. "In this case, an attacker only needs permission to update a Cloud Composer environment to gain access to critical GCP services like Cloud Storage and Artifact Registry."
The potential impact of ConfusedComposer is significant. Successful exploitation of the flaw could permit an attacker to siphon sensitive data, disrupt services, and deploy malicious code within CI/CD pipelines. Furthermore, it could pave the way for the deployment of backdoors that can grant persistent access to compromised cloud environments.
This vulnerability comes on the heels of several other high-profile discoveries in recent weeks. For example, researchers at Varonis Threat Labs uncovered a vulnerability in Microsoft Azure that could have allowed a threat actor with privileged access to an Azure SQL Server to alter configurations in a manner that causes data loss upon admin action. The company has since remediated the issue as of April 9, 2025.
In another instance, security researcher Coby Abrams explained to The Hacker News how an attacker could exploit a vulnerability in Microsoft Entra ID restricted administrative units to prevent selected users from being modified, deleted, or disabled, even by a Global Administrator. This bug was fixed by the company as of February 22, 2025.
Meanwhile, threat actors have been found training their sights on websites hosted on Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances by exploiting Server-Side Request Forgery (SSRF) vulnerabilities to extract metadata information. According to F5 Labs researcher Merlyn Albery-Speyer, EC2 Instance Metadata is a feature provided by AWS that allows an EC2 instance to access information needed at runtime without needing to authenticate or make external API calls.
"It can expose information such as the public or private IP address, instance ID, and IAM role credentials. Much of this is sensitive data of interest to attackers," Albery-Speyer explained.
The growing landscape of cloud security vulnerabilities underscores the need for businesses to prioritize proactive measures against these threats. This may include implementing regular security audits and patches, conducting thorough risk assessments, and providing employees with education on cybersecurity best practices.
As the threat landscape continues to evolve, one thing is clear: cloud security experts must remain vigilant in their efforts to stay ahead of the latest vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Vulnerability-Landscape-A-Growing-Concern-for-Cloud-Security-ehn.shtml
https://thehackernews.com/2025/04/gcp-cloud-composer-bug-let-attackers.html
https://cybersecuritynews.com/gcp-rce-flaw/
Published: Tue Apr 22 10:08:07 2025 by llama3.2 3B Q4_K_M
