Summary
Asset Key Thief was a Google Cloud
privilege escalation vulnerability that enabled
principals with the "Cloud Asset Viewer" role (or other roles
with the `cloudasset.assets.searchAllResources` permission) on the
Cloud Asset Inventory API, at the Project, Folder, or Organization level
to view and exfiltrate any user-managed Service Account
private key under a project within the same Google Cloud environment that
had been created or rotated up to a maximum of 12 hours ago.
Access to Service Account private keys enable the full assumption
of that Service Account's identity and privileges, which would have given
attackers with existing access to a Google Cloud environment a persistent and reliable
method of lateral movement and privilege escalation. Google has since fixed this
vulnerability, but affected customers must rotate their keys manually.
Affected Services
Cloud Asset Inventory
Remediation
Consider rotating user-managed Service Account keys created prior to 14/03/23.
Search for anomalous Service Account activity.
Audit principals with access to the "cloudasset.assets.searchAllResources" permission.
Search for "google.cloud.asset.v1.AssetService.SearchAllResources" ADMIN_READ data access logs.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/jacks-reid
Disclosure Date
Tue, Feb 7th, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Jackson Reid, SADA
