Security Researchers have discovered a design flaw in Google Cloud Build which can allow for supply chain attacks. Google Cloud Build is Google Cloud’s managed continuous integration and delivery service. This CI/CD service allows users to automate the process of building, testing and deploying of software. Cloud Build also integrates with other services in Google Cloud’s ecosystem, such as Artifact Registry, Google Kubernetes Engine, and App Engine. The flaw allows attackers to perform privilege escalation by impersonating the default Cloud Build service account. This gives attackers unauthorised access to code repositories in Google’s Artifact Registry, allowing them to inject malicious code. Google’s Security Team had been notified for the findings and had implemented a partial fix. It is recommended that organisations pay close attention to the behaviour of the default Google Cloud Build service account and apply the principle of least privilege to mitigate the privilege escalation risks.
https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability/
https://www.bleepingcomputer.com/news/security/google-cloud-build-bug-lets-hackers-launch-supply-chain-attacks/
This segment was created for the It’s 5:05 podcast