Privilege escalation in GCP OS Login

Published Wed, Mar 17th, 2021


GCP provides an OS Login service for managing SSH access to compute instances using IAM roles. An attacker could abuse this feature via LXD, Docker (if available on the target system) and DHCP poisoning of the metadata server to escalate their privileges on a Google Compute Engine VM.

Affected Services

OS Login

Tracked CVEs

CVE-2020-8933, CVE-2020-8907, CVE-2020-8903


Disclosure Date
Thu, Jun 4th, 2020
Exploitablity Period
until June 2020
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Chris Moberly