high

IAM privilege escalation in multiple GCP services

Published Sun, Nov 22nd, 2020

Platforms

gcp

Summary

Composer, Dataflow, Dataproc, Dataprep and Data Fusion all used the Compute Engine default service account by default and relied on product-level IAM permissions without requiring the iam.serviceAccount.actAs permission, meaning that users of these services could elevate their privileges. Following disclosure, GCP changed these services to require this permission.

Affected Services

Composer, Dataflow, Dataproc, Dataprep, Data Fusion

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://security.love/blog/gcp/2020/11/22/lateral-movement-and-privesc-in-GCP.html

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Mon, Jun 3rd, 2019

Exploitability Period

Ongoing, partially fixed on June 2020

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Allison Donovan, Dylan Ayrey

More vulnerabilities...

medium

GCP Default compute account is project Editor

gcp

When the compute API is enabled on a GCP Project, the default compute account is created. This account gets the primitive role Editor assigned by default, which allows for a wide variety of privile...

Louis Duruflé-Seta
medium

SSRF in Google Cloud Monitoring

gcp

An SSRF bug in Google Cloud Monitoring's uptime check feature could have been used to leak the authentication token of the service account used for these checks. The issue was resolved but later by...

David Nechuta
low

Route table modification to imitate metadata service

aws

An attacker with sufficient privileges in AWS to modify the route table and some other EC2 privileges, could pretend to be a metadata server and provide an attacker controlled bootup script to EC2s...

Ryan Gerstenkorn
View all