Google Cloud VMs vulnerable to hijack
Uh oh. Looks like your using an ad blocker.
Our site is support by ads that help to pay our hosting costs. Please disable or whitelist us within your ad blocker to help us keep the site online.
All money generate by ads and donations is used to pay the hosting costs of the site, for more information about our income and expenses please see our donation page.
An attacker could gain root access to VMs running on Google Cloud
Cybersecurity researcher Imre Rad has disclosed a potential vulnerability that can be exploited to get root access to virtual machines (VM) running on Google Cloud.
Specifically, the attack exploits a weakness in Google Compute Engine (GCE), which is Google Clouds Infrastructure-as-a-Service (IaaS) product.
Rad explains that attackers can take over GCE VMs by taking advantage of a weakness in the random number generator of the ISC DHCP server they use by default, together with an unfortunate combination of additional factors.
The hijacking is done by impersonating the metadata server from the targeted virtual machines point of view. By mounting this exploit, the attacker can grant access to themselves over SSH (public key authentication) so then they can login as the root user.
In his writeup, Rad explains that the attack consists of two phases. The first involves overloading a victims VM with DHCP traffic in order to get it to use a malicious attacker controlled metadata server instead of an official Google one.
Once the victims VM is listening to the rogue metadata server for configuration information, the attacker can send across their SSH public key and gain root access to the VM.
Rad says his technique is inspired by an attack vector shared last by Chris Moberly, another security researcher.
He reported the vulnerability to Google in September 2020, but has not heard back since. He suspects that, since Google has not closed his bug report, there could be some technical complexity that prevents them from deploying a network level remediation.
Google now says it has taken steps to prevent the exploitation of the vulnerability through either the internet or external VM IP traffic, although a complete mitigation has not yet been deployed.
According to Google, customers with untrusted internal traffic would be wise to ensure the incoming UDP port 68 is blocked by firewalls to head off malicious activity.