Google Cloud Run, a serverless container platform, relies on a service agent with elevated permissions to pull private images from Google Container Registry or Artifact Registry
Cybersecurity researchers at Tenable have discovered a privilege escalation vulnerability in Google Cloud Run, named “ImageRunner,” that could have allowed attackers to bypass permissions, gain unauthorised access to container images, and potentially expose sensitive data.
Google Cloud Run, a serverless container platform, relies on a service agent with elevated permissions to pull private images from Google Container Registry or Artifact Registry. According to Tenable researchers, attackers with edit permissions on Cloud Run could have exploited these inherited permissions to retrieve a container image and deploy unauthorised applications, highlighting the cascading security risks within cloud service interdependencies.
The “Jenga Concept” & Cloud Security Risks
The ImageRunner vulnerability aligns with what Tenable researchers call the Jenga® Concept, referring to the way cloud providers build services on top of one another. A security weakness in one layer can propagate to dependent services, much like removing a block in a Jenga® tower can destabilise the entire structure.
“In the game of Jenga®, removing a single block can undermine the entire structure,” said Liv Matan, Senior Security Researcher at Tenable. “Cloud services function similarly—if one component has risky default settings, those risks can trickle down to dependent services, increasing the risk of security breaches.”
Potential Impact Of ImageRunner
If exploited, ImageRunner could have enabled attackers to:
Access and inspect private container images, potentially extracting sensitive information.
Modify deployment parameters to execute unauthorised code.
Exfiltrate critical data, increasing risks of cyberespionage or malicious activities.
Google has since addressed the vulnerability, and no further action is required from users.
Strengthening Cloud Security Measures
While the immediate risk from ImageRunner has been mitigated, Tenable recommends that organisations take proactive security measures, including:
Implementing the least privilege model to prevent unnecessary permission inheritance.
Using tools like Jenganizer to map hidden dependencies between cloud services.
Regularly reviewing logs to detect suspicious access patterns.
“The discovery of ImageRunner reinforces the need for proactive cloud security measures. As cloud environments grow more complex, security teams must anticipate and mitigate risks before attackers exploit them,” added Matan.
As cloud services continue to evolve, security teams must remain vigilant in monitoring service dependencies and enforcing strict access controls to safeguard their digital infrastructure.
