Researchers revealed a critical vulnerability in Google's Cloud Run, named ImageRunner, which allowed malicious actors to access restricted container images and inject harmful code. The issue arose from certain identities having edit permissions on Cloud Run while lacking container registry permissions. This could enable attackers, with specific permissions, to modify services and deploy new revisions that pull sensitive images from the same project. Google patched this security flaw by January 28, 2025, protecting users from potential data exfiltration and other attacks.
"The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact Registry and Google Container Registry images in the same account," Tenable security researcher Liv Matan said in a report shared with The Hacker News.
"If an attacker gains certain permissions within a victim's project -- specifically run.services.update and iam.serviceAccounts.actAs permissions -- they could modify a Cloud Run service and deploy a new revision," Matan explained.
"In doing so, they could specify any private container image within the same project for the service to pull."
"What's more, the attacker could access sensitive or proprietary images stored in a victim's registries and even introduce malicious instructions that, when executed, could be abused to extract secrets, exfiltrate sensitive data, or even open a reverse shell."
Collection
[
|
...
]