[sync] Add GCP.Cloudfunctions.Functions.Update rule (#59)

[egibs]

Goal

Detect cloudfunctions.functions.update method for privilege escalation in GCP.

Categorization

TA0004:T1548

Strategy Abstract

The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.

Technical Context

Similar to cloudfunctions.functions.create, this method updates (overwrites) an existing function instead of creating a new one. The API used to update the function also allows you to swap the Service Account if you have another one you want to get the token for. The script will update the target function with the malicious code, then wait for it to deploy, then finally invoke it to be returned the Service Account access token.

The following permissions are required for this method:

cloudfunctions.functions.sourceCodeSet

cloudfunctions.functions.update

iam.serviceAccounts.actAs

Blind Spots and Assumptions

Assumes proper GCP logging and audit policies.

False Positives

Legitimate administrative activity that is authorized and expected.

Validation

The exploit script for this method can be found here. The output of this script is similar to cloudfunctions.functions.create.

Priority

High or Critical

Response

Again, these are not vulnerabilities in GCP, they are vulnerabilities in how you have configured your GCP environment, so it is your responsibility to be aware of these attack vectors and to defend against them. Make sure to follow the principle of least-privilege in your environments to help mitigate these security risks.

Additional Resources

https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/