Tenable research uncovers a privilege escalation vulnerability in Google Cloud Run

Tenable has identified a privilege escalation vulnerability in Google Cloud Run called ImageRunner. The vulnerability could have allowed attackers to bypass permissions, gain unauthorised access to container images and potentially expose sensitive data.

Cloud Run, Google’s serverless container platform, uses a service agent with elevated permissions to pull private Google Container Registry or Artifact Registry images. According to Tenable researchers, an attacker with edit permissions on Cloud Run could exploit these inherited permissions to retrieve a container image and use it to deploy applications, demonstrating the risks associated with cloud service interdependencies.

ImageRunner exemplifies what Tenable has coined the Jenga® Concept, the tendency for cloud providers to build services on top of one another, thus security risks and weaknesses in one layer cascade into other services.

“In the game of Jenga®, removing a single block can undermine the entire structure,” said Liv Matan, Senior Security Researcher at Tenable. “Cloud services function similarly if one component has risky default settings, those risks can trickle down to dependent services, increasing the risk of security breaches.”

Potential Impact of ImageRunner Exploitation
If exploited, ImageRunner could allow attackers to:

• Inspect private container images, extracting sensitive information or secrets.
• Modify deployment parameters to execute unauthorised code.
• Exfiltrate critical data for cyberespionage or malicious activities.

Google has addressed ImageRunner and no additional action is required.

Recommendations for Security Teams
While no user action is required to mitigate ImageRunner, Tenable recommends organisations to:

• Follow the least privilege model to prevent unnecessary permission inheritance.
• Map hidden dependencies between cloud services using tools like Jenganizer.
• Regularly review logs to detect suspicious access patterns.

“The discovery of ImageRunner reinforces the need for proactive cloud security measures. As cloud environments grow more complex, security teams must anticipate and mitigate risks before attackers exploit them,” added Matan.