Asset Key Thief
Published Wed, Apr 19th, 2023
Platforms
Summary
Asset Key Thief was a Google Cloud privilege escalation vulnerability that enabled principals with the "Cloud Asset Viewer" role (or other roles with the `cloudasset.assets.searchAllResources` permission) on the Cloud Asset Inventory API, at the Project, Folder, or Organization level to view and exfiltrate any user-managed Service Account private key under a project within the same Google Cloud environment that had been created or rotated up to a maximum of 12 hours ago. Access to Service Account private keys enable the full assumption of that Service Account's identity and privileges, which would have given attackers with existing access to a Google Cloud environment a persistent and reliable method of lateral movement and privilege escalation. Google has since fixed this vulnerability, but affected customers must rotate their keys manually.
Affected Services
Cloud Asset Inventory
Remediation
Consider rotating user-managed Service Account keys created prior to 14/03/23. Search for anomalous Service Account activity. Audit principals with access to the "cloudasset.assets.searchAllResources" permission. Search for "google.cloud.asset.v1.AssetService.SearchAllResources" ADMIN_READ data access logs.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/jacks-reid
Entry Status
Finalized
Disclosure Date
Tue, Feb 7th, 2023
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Jackson Reid, SADA
