Tenable has identified a new privilege escalation vulnerability in Google Cloud Platform (GCP), highlighting the risks of inherited permissions within complex cloud environments. The flaw, dubbed ConfusedComposer, allows attackers with edit permissions in Google Cloud Composer to gain access to highly privileged service accounts across GCP, exposing key resources to potential abuse.
Vulnerability stems from service interdependency
Cloud Composer, Google’s managed workflow orchestration service built on Apache Airflow, relies on Cloud Build to install custom Python packages. Cloud Build, in turn, uses a default service account with extensive permissions to execute these tasks. Tenable researchers found that a user with edit-level access in a Cloud Composer environment could exploit this process by injecting a malicious Python package. This package would then be executed by Cloud Build, granting the attacker access to the high-level service account and, by extension, to other critical GCP services such as Cloud Build itself, Cloud Storage, and Artifact Registry.
The vulnerability mirrors a previously discovered flaw called ConfusedFunction and is described by Tenable as a variant exploit. It illustrates how closely integrated cloud services can unintentionally provide pathways for privilege escalation, even when individual components appear secure in isolation.
Broader concerns over cloud architecture design
Tenable links ConfusedComposer to what it calls the Jenga concept—a metaphor for the fragility of layered cloud services. “When you play the Jenga game, removing one block can make the whole tower unstable,” said Liv Matan, Senior Security Researcher at Tenable. “Cloud services work the same way. If one layer has risky default settings, then that risk can spread to others, making security breaches more likely to happen.”
This discovery brings attention to the increasingly interconnected nature of cloud services, where a flaw in one system can create cascading effects across multiple platforms. According to Tenable, such architectural complexity necessitates a new approach to risk management and cloud security.
Risk mitigated but vigilance urged
Google has addressed the ConfusedComposer vulnerability, and no user action is currently required to resolve the issue. However, Tenable urges organisations to remain proactive in their security practices. Recommendations include following the principle of least privilege to avoid unnecessary permissions, mapping out hidden service dependencies using tools like Jenganizer, and regularly reviewing access logs for any signs of unusual activity.
“The discovery of ConfusedComposer highlights the need for security teams to uncover hidden cloud interactions and enforce strict privilege controls,” Matan added. “As cloud environments become more complex, it’s crucial to identify and address risks before attackers take advantage of them.”
Tenable’s findings serve as a timely reminder for cloud security teams to continuously evaluate the integrity of their configurations, especially as services become more interwoven and dynamic.
