low

GCP HMAC Keys do not log creation, deletion or usage

Published Mon, Jun 17th, 2024

Platforms

Summary

Cloud Audit Logs do not capture actions mediated through the cloud console private API service (cloudconsole-pa). Consequently, there is no logging of HMAC key creation or deletion linked to user accounts. This absence of logs hampers defenders' ability to alert or monitor the creation of HMAC keys for user accounts, posing a persistence risk, or their deletion, presenting a denial of service risk.

Affected Services

Google Cloud Storage XML API, Cloud Console Private API Service

Remediation

None possible

Tracked CVEs

No tracked CVEs

References

https://www.vectra.ai/blog/working-as-intended-the-unauditable-unmanageable-keys-in-google-cloud

Contributed by https://github.com/KatTraxler

Entry Status

Finalized

Disclosure Date

Wed, Feb 7th, 2024

Exploitability Period

Ongoing

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Kat Traxler, Vectra AI

More vulnerabilities...

Azure Machine Learning SSRF

Tenable, WizJun 17, 2024

high

GitHub Copilot Chat Vulnerable to Data Exfiltration

GitHub Copilot Chat VS Code Extension was vulnerable to data exfiltration via prompt injection when analyzing untrusted source code. The vulnerability allowed attackers to access previous conversat...

wunderwuzzi, Embrace The RedJun 14, 2024

medium

Issue with Amazon EC2 VM Import Export Service

AWS addressed an issue with the Amazon EC2 VM Import Export Service where importing Windows VMs with custom Sysprep answer files resulted in an unprotected backup copy being created, potentially ex...

Immersive LabsJun 11, 2024

View all