Researchers in the field of cybersecurity have revealed the details of a vulnerability in Google Cloud Platform (GCP) Cloud Run that has been addressed. This flaw, which could have allowed an attacker to access and manipulate container images, has been given the name ImageRunner by the security company Tenable.
According to Tenable security researcher Liv Matan, the vulnerability could have been exploited by an attacker to “abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact Registry and Google Container Registry images in the same account.” Matan’s statement was made in a report shared with The Hacker News, in which the details of the vulnerability were disclosed.
Google addressed the issue on January 28, 2025, following responsible disclosure. The vulnerability, known as ImageRunner, is a privilege escalation flaw that could have allowed an attacker to access sensitive or proprietary images stored in a victim’s registries and even introduce malicious code.
Google Cloud Run is a fully managed service that allows users to execute containerized applications in a scalable, serverless environment. When a service is deployed using Cloud Run, container images are retrieved from the Artifact Registry (or Docker Hub) for subsequent deployment by specifying the image URL.
The issue arises from the fact that certain identities lack container registry permissions but have edit permissions on Google Cloud Run revisions. This allows an attacker to modify a Cloud Run service and deploy a new revision, potentially accessing sensitive or proprietary images stored in a victim’s registries.
Each time a Cloud Run service is deployed or updated, a new version is created, and a service agent account is used to pull the necessary images. If an attacker gains certain permissions within a victim’s project, they could modify a Cloud Run service and deploy a new revision, potentially accessing sensitive or proprietary images.
The attacker could also introduce malicious instructions that, when executed, could be abused to extract secrets, exfiltrate sensitive data, or even open a reverse shell to a machine under their control.
Google has released a patch that ensures the user or service account creating or updating a Cloud Run resource has explicit permission to access the container images. According to the company’s release notes, “the principal (user or service account) creating or updating a Cloud Run resource now needs explicit permission to access the container image(s).”
Tenable has characterized ImageRunner as an instance of what it calls Jenga, which arises due to the interconnected nature of various cloud services, causing security risks to be passed along. “Cloud providers build their services on top of their other existing services,” Matan said. “If one service gets attacked or is compromised, the other ones built on top of it inherit the risk and become vulnerable as well.”
“This scenario opens the door for attackers to discover novel privilege escalation opportunities and even vulnerabilities, and introduces new hidden risks for defenders.”
The disclosure of the ImageRunner vulnerability comes weeks after Praetorian detailed several ways a lower-privilege principal can abuse an Azure virtual machine (VM) to gain control over an Azure subscription. These methods include:
- Executing commands on an Azure VM associated with an administrative managed identity
- Logging in to an Azure VM associated with an administrative managed identity
- Attaching an existing administrative user-assigned managed identity to an existing Azure VM and executing commands in that VM
- Creating a new Azure VM, attaching an existing administrative managed identity to it, and executing commands in that VM by using data plane actions
According to security researchers Andrew Chang and Elgin Lee, “after obtaining the Owner role for a subscription, an attacker may be able to leverage their broad control over all subscription resources to find a privilege escalation path to the Entra ID tenant.” This path is predicated on a compute resource in the victim subscription with a service principal with Entra ID permissions that may allow it to escalate itself to Global Administrator.
