medium

GCP Cloudshell Vulnerabilities

Published Mon, Dec 16th, 2019

Platforms

Summary

Wouter ter Maat discovered 9 vulnerabilities in GCP Cloudshell that could allow an attacker to access resources in another customer's environment.

Affected Services

Cloudshell

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-introduction/https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-bug-1/https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-bug-2/https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-bug-3/https://offensi.com/2019/12/16/4-google-cloud-shell-bugs-explained-bug-4/https://www.youtube.com/watch?v=J2icGMocQds https://security.googleblog.com/2020/03/announcing-our-first-gcp-vrp-prize.html

Contributed by https://github.com/korniko98

Disclosure Date

Mon, Dec 16th, 2019

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Wouter ter Maat, Offensi

More vulnerabilities...

medium

ALB HTTP request smuggling

ALBs found vulnerable to HTTP request smuggling (desync attack).

James Kettle (Portswigger),...

Fri, Oct 4th, 2019

high

Lake Formation data lake admin override

Shortly after Lake Formation was made generally available, a bug was discovered that gave anyone the ability to view and override data lake admins for any account (an attacker would have only neede...

Ian Mckay

Thu, Aug 15th, 2019

medium

AWS IAM role credential exfiltration via EC2 Instance Metadata Service (IMDSv1)

AWS offers a metadata service accessible to most EC2 Instances via a simple GET request to 169.254.169.254. If an instance has an SSRF vulnerability, attackers can access the metadata service & exf...

Sun, Aug 4th, 2019

View all