"Google Fixes 'Bad.Build' Vulnerability Affecting Cloud Build Service"
Google patched a flaw in its Cloud Build service that allowed attackers to manipulate application images and infect users. Although a fix for the vulnerability was released in June, the researchers who discovered it have just published a detailed explanation of how it created a threat vector similar to SolarWinds or the more recent 3CX and MOVEit supply chain attacks. Through Cloud Build, users can execute builds on Google Cloud to their specifications and import code from various repositories and cloud storage spaces. The Bad.Build issue centered on the permissions granted to default service accounts with the Cloud Build service. Orca Security, who disclosed the vulnerability to Google, noted that by exploiting this vulnerability that facilitates impersonation of the default Cloud Build service account, an attacker could manipulate images in Google's Artifact Registry and inject malicious code. Any applications made from manipulated images are then vulnerable to Denial-of-Service (DoS) attacks, data theft, and the spread of malware. This article continues to discuss findings regarding the Bad.Build vulnerability.
The Record reports "Google Fixes 'Bad.Build' Vulnerability Affecting Cloud Build Service"