Tenable, a cloud exposure management company, has discovered a privilege escalation vulnerability in Google Cloud Composer (GCP), known as ConfusedComposer. This vulnerability allows attackers with edit permissions to escalate privileges and gain access to a high-level service account with broad permissions across GCP. Cloud Composer uses Cloud Build, a CI/CD service, to install custom PyPI packages. Attackers can inject a malicious package, allowing them to escalate privileges and control Cloud Build’s service account, granting access to critical GCP resources. ConfusedComposer is a variant of ConfusedFunction, highlighting the complexity of cloud services.

ConfusedComposer highlights a broader security concern identified by Tenable as Jenga® Concept, the tendency for cloud providers to build services on top of one another, enabling security risks and weaknesses in one layer to cascade into other services.

“When you play the Jenga® game, removing one block can make the whole tower unstable,” said Liv Matan, Senior Security Researcher at Tenable. “Cloud services work the same way. If one layer has risky default settings, then that risk can spread to others, making security breaches more likely to happen.”

If exploited, ConfusedComposer could allow attackers to:

  • Steal sensitive data from GCP services
  • Inject malicious code into CI/CD pipelines
  • Maintain persistent access through backdoors
  • Escalate privileges to potentially take full control of a victim’s GCP project

Google has addressed ConfusedComposer, and no additional action is required.

While no user action is required to mitigate ConfusedComposer, Tenable recommends that organizations:

  • Follow the least privilege model to prevent unnecessary permission inheritance.
  • Map hidden dependencies between cloud services using tools like Jenganizer.
  • Regularly review logs to detect suspicious access patterns.

“The discovery of ConfusedComposer highlights the need for security teams to uncover hidden cloud interactions and enforce strict privilege controls. As cloud environments become more complex, it’s crucial to identify and address risks before attackers take advantage of them,” added Matan.

This discovery serves as a wake-up call for security teams.

Read the full research findings here.