RCE on a Cloud Function in GCP

Question

Can we talk about remote code execution in a serverless? Let's say I have a Cloud Function in GCP that's vulnerable to RCE. If an attacker uses the right payload, will he be able to execute commands on the container of the Cloud Function ? Thank you for your help!

I am testing a security tool on GCP that identified vulnerabilities in the Cloud Functions.

score 0 · Answer 1 · answered May 11 '23 at 18:56

0

Your question is too broad. RCE is a big topic that requires articles to cover.

There are two basic types of RCE:

remote command execution
remote code execution

Cloud Functions does not have an operating system or command shell, so the first type of RCE is not possible.

The second type of RCE would depend on your code and of course, is a risk for code with vulnerabilities that can be reached via the function's public endpoint.

answered May 11 '23 at 18:56

John Hanley

74,467
6
95
159

Thank you @John Hanley for this explanation. Actually I was referring to remote command execution, because the security tool I’m using is detecting vulnerable packages to remote command execution used by a cloud function. So, in this case, we can say there’s no risk at all? – Foued May 12 '23 at 01:12
@Foued - you cannot run commands in Cloud Functions. I covered that in my answer. – John Hanley May 12 '23 at 01:14

RCE on a Cloud Function in GCP

1 Answers1