medium

Privilege escalation in GCP OS Login

Published Wed, Mar 17th, 2021

Platforms

Summary

GCP provides an OS Login service for managing SSH access to compute instances using IAM roles. An attacker could abuse this feature via LXD, Docker (if available on the target system) and DHCP poisoning of the metadata server to escalate their privileges on a Google Compute Engine VM.

Affected Services

OS Login

Tracked CVEs

CVE-2020-8933, CVE-2020-8907, CVE-2020-8903

References

https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020 https://initblog.com/2020/oslogin-privesc/

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Thu, Jun 4th, 2020

Exploitability Period

until June 2020

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Chris Moberly

More vulnerabilities...

medium

AWS CloudShell terminal escape

If attacker controlled data is viewed in Cloudshell it could have led to code execution. This exact same issue existed in Azure previously.

Felix Wilhelm, GoogleMar 10, 2021

medium

Azure Linux VM extension credential leak

A vulnerability in the Azure Linux VM extension mechanism allowed an unprivileged user to leak any Azure VM extension’s private data. An attacker could have abused this to gain credentials for the ...

Paul Litvak (Intezer), Wout...Mar 9, 2021

high

Azure Cloud Shell and Container Instances breakout

An attacker could gain root privileges on their Azure Cloud Shell container, escape from the container, and then gain root privileges on the underlying node, the root cause being an insecure kubele...

Chen Cohen, eBayFeb 15, 2021

View all