high

IAM privilege escalation in multiple GCP services

Published Sun, Nov 22nd, 2020
Platforms

Summary

Composer, Dataflow, Dataproc, Dataprep and Data Fusion all used the Compute Engine default service account by default and relied on product-level IAM permissions without requiring the iam.serviceAccount.actAs permission, meaning that users of these services could elevate their privileges. Following disclosure, GCP changed these services to require this permission.

Affected Services

Composer, Dataflow, Dataproc, Dataprep, Data Fusion

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Mon, Jun 3rd, 2019
Exploitablity Period
Ongoing, partially fixed on June 2020
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Allison Donovan, Dylan Ayrey, null