medium

GCP Default compute account is project Editor

Published Sun, Nov 22nd, 2020

Platforms

gcp

Summary

When the compute API is enabled on a GCP Project, the default compute account is created. This account gets the primitive role Editor assigned by default, which allows for a wide variety of privilege excalation and resource abuse in the project. Especially, all new VMs created inherit this permissions by default. This issue is arguably a technical decision by GCP, but the documents advise customers to undo this.

Affected Services

N/A

Remediation

Remove these permissions, it can be done via an organization policy

Tracked CVEs

No tracked CVEs

References

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts

Contributed by https://github.com/louisdurufle

Entry Status

Finalized

Disclosure Date

-

Exploitability Period

Since the creation of GCP

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Louis Duruflé-Seta

More vulnerabilities...

medium

SSRF in Google Cloud Monitoring

gcp

An SSRF bug in Google Cloud Monitoring's uptime check feature could have been used to leak the authentication token of the service account used for these checks. The issue was resolved but later by...

David Nechuta
low

Route table modification to imitate metadata service

aws

An attacker with sufficient privileges in AWS to modify the route table and some other EC2 privileges, could pretend to be a metadata server and provide an attacker controlled bootup script to EC2s...

Ryan Gerstenkorn
low

Enumeration of Privileges Without Being Logged to CloudTrail

aws

An attacker who gained access to IAM credentials could enumerate a subset of the privileges they had access to without logging to CloudTrail. This would allow them to perform the typically noisy pe...

Nick Frichette
View all