medium

Asset Key Thief

Published Wed, Apr 19th, 2023
Platforms

Summary

Asset Key Thief was a Google Cloud privilege escalation vulnerability that enabled principals with the "Cloud Asset Viewer" role (or other roles with the `cloudasset.assets.searchAllResources` permission) on the Cloud Asset Inventory API, at the Project, Folder, or Organization level to view and exfiltrate any user-managed Service Account private key under a project within the same Google Cloud environment that had been created or rotated up to a maximum of 12 hours ago. Access to Service Account private keys enable the full assumption of that Service Account's identity and privileges, which would have given attackers with existing access to a Google Cloud environment a persistent and reliable method of lateral movement and privilege escalation. Google has since fixed this vulnerability, but affected customers must rotate their keys manually.

Affected Services

Cloud Asset Inventory

Remediation

Consider rotating user-managed Service Account keys created prior to 14/03/23. Search for anomalous Service Account activity. Audit principals with access to the "cloudasset.assets.searchAllResources" permission. Search for "google.cloud.asset.v1.AssetService.SearchAllResources" ADMIN_READ data access logs.

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Tue, Feb 7th, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Jackson Reid, SADA