high

IAM privilege escalation in multiple GCP services

Published Sun, Nov 22nd, 2020

Platforms

Summary

Composer, Dataflow, Dataproc, Dataprep and Data Fusion all used the Compute Engine default service account by default and relied on product-level IAM permissions without requiring the iam.serviceAccount.actAs permission, meaning that users of these services could elevate their privileges. Following disclosure, GCP changed these services to require this permission.

Affected Services

Composer, Dataflow, Dataproc, Dataprep, Data Fusion

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://security.love/blog/gcp/2020/11/22/lateral-movement-and-privesc-in-GCP.html

Contributed by https://github.com/0xdabbad00

Disclosure Date

Mon, Jun 3rd, 2019

Exploitablity Period

Ongoing, partially fixed on June 2020

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Allison Donovan, Dylan Ayrey

More vulnerabilities...

medium

GCP Default compute account is project Editor

When the compute API is enabled on a GCP Project, the default compute account is created. This account gets the primitive role Editor assigned by default, which allows for a wide variety of privile...

Anonymous discoverer

Sun, Nov 22nd, 2020

medium

SSRF in Google Cloud Monitoring

An SSRF bug in Google Cloud Monitoring's uptime check feature could have been used to leak the authentication token of the service account used for these checks. The issue was resolved but later by...

David Nechuta

Thu, Nov 12th, 2020

low

Route table modification to imitate metadata service

An attacker with sufficient privileges in AWS to modify the route table and some other EC2 privileges, could pretend to be a metadata server and provide an attacker controlled bootup script to EC2s...

Ryan Gerstenkorn

Mon, Oct 19th, 2020

View all