Cybersecurity researchers have disclosed details of a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run that could have allowed a malicious actor to access container images and even inject malicious code.
“The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact Registry and Google Container Registry images in the same account,” Tenable security researcher Liv Matan said in a report shared with The Hacker News.
The security shortcoming has been codenamed ImageRunner by the cybersecurity company. Following responsible disclosure, Google addressed the problem as of January 28, 2025.
Google Cloud Run is a fully managed service for executing containerized applications in a scalable, serverless environment. When the technology is used to run a service, container images are retrieved from the Artifact Registry (or Docker Hub) for subsequent deployment by specifying the image URL.
At issue is the fact that there are certain identities that lack container registry permissions but that have edit permissions on Google Cloud Run revisions.
Each time a Cloud Run service is deployed or updated, a new version is created. And each time a Cloud Run revision is deployed, a service agent account is used to pull the necessary images.
“If an attacker gains certain permissions within a victim’s project — specifically run.services.update and iam.serviceAccounts.actAs permissions — they could modify a Cloud Run service and deploy a new revision,” Matan explained. “In doing so, they could specify any private container image within the same project for the service to pull.”
What’s more, the attacker could access sensitive or proprietary images stored in a victim’s registries and even introduce malicious instructions that, when executed, could be abused to extract secrets, exfiltrate sensitive data, or even open a reverse shell to a machine under their control.
The patch released by Google now ensures that the user or service account creating or updating a Cloud Run resource has explicit permission to access the container images.
“The principal (user or service account) creating or updating a Cloud Run resource now needs explicit permission to access the container image(s),” the tech giant said in its release notes for Cloud Run in January 2025.
“When using Artifact Registry, ensure the principal has the Artifact Registry Reader (roles/artifactregistry.reader) IAM role on the project or repository containing the container image(s) to deploy.”
Tenable has characterized ImageRunner as an instance of what it calls Jenga, which arises due to the interconnected nature of various cloud services, causing security risks to be passed along.
“Cloud providers build their services on top of their other existing services,” Matan said. “If one service gets attacked or is compromised, the other ones built on top of it inherit the risk and become vulnerable as well.”
“This scenario opens the door for attackers to discover novel privilege escalation opportunities and even vulnerabilities, and introduces new hidden risks for defenders.”
The disclosure comes weeks after Praetorian detailed several ways a lower-privilege principal can abuse an Azure virtual machine (VM) to gain control over an Azure subscription –
- Execute commands on an Azure VM associated with an administrative managed identity
- Log in to an Azure VM associated with an administrative managed identity
- Attach an existing administrative user-assigned managed identity to an existing Azure VM and execute commands in that VM
- Create a new Azure VM, attach an existing administrative managed identity to it, and execute commands in that VM by using data plane actions
“After obtaining the Owner role for a subscription, an attacker may be able to leverage their broad control over all subscription resources to find a privilege escalation path to the Entra ID tenant,” security researchers Andrew Chang and Elgin Lee said.
“This path is predicated on a compute resource in the victim subscription with a service principal with Entra ID permissions that may allow it to escalate itself to Global Administrator.”
