Google fixes ‘Bad.Build’ vulnerability affecting Cloud Build service

Google said it has fixed a vulnerability in its Cloud Build service that allowed hackers to tamper with application images and infect users.

While a fix for the issue was released in June, the researchers who discovered the bug published their full breakdown of the vulnerability on Tuesday – explaining that it created a “threat vector similar to SolarWinds or the more recent 3CX and MOVEit supply chain attacks.”

The tool lets users execute builds on Google Cloud to their specifications and import code from a variety of repositories and cloud storage spaces. The issue – dubbed “Bad.Build” – centered around the permissions given to default service accounts that come with the Cloud Build service.

Orca Security, which reported the bug to Google, said that attackers could impersonate the accounts and manipulate the build, injecting malicious code or taking other actions.

Google argued that Cloud Build comes with default service accounts that include permissions which many users are likely to need.

But Orca Security’s Roi Nisimi explained in a blog post that by abusing this flaw that enables the impersonation of the default Cloud Build service account, an attacker “can manipulate images in Google’s Artifact Registry and inject malicious code.”

“Any applications built from the manipulated images are then affected, with potential outcomes including Denial-of-Service (DoS) attacks, data theft, and the spread of malware,” Nisimi said.

“Even worse, if the malformed applications are meant to be deployed on customer’s environments (either on-premise or semi-SaaS), the risk crosses from the supplying organization’s environment to their customers’ environments, constituting a supply chain attack.”

A Google spokesperson told Recorded Future News they released a fix for the issue on June 8 after being notified by Orca Security and said no actions need to be taken by users.

“We are appreciative of Orca and the broader security community’s participation in these programs,” the Google spokesperson said. “We appreciate the work of the researchers and have incorporated a fix based on their report as outlined in a security bulletin issued in early June.”

The fix removes a permission from the default Cloud Build Service Account. Nisimi argued that Google’s fix doesn’t fully address how hackers can gain illicit access to elevated rights, permissions, entitlements, or privileges beyond what is assigned for a specific identity or user.

“It only limits it – turning it into a design flaw that still leaves organizations vulnerable to the larger supply chain risk. Hence, it requires security teams to put further measures in place to protect against this risk,” Nisimi said.

Google denied Orca Security’s assessment, explaining that the access given to service accounts is the “nature of automated systems that run independently.”

Both Google and Orca Security urged all organizations to check permissions and adjust them to their liking – depending on their security posture and other factors.