A misconfiguration in Google Cloud Platform has been found which could give threat actors full control over a target virtual machine (VM) endpoint, researchers have said.
In a blog post published by cloud incident response experts Mitiga, the company noted that by (ab)using legitimate system features, potential attackers could read and write data from VMs which could, in theory, result in a complete system takeover.
Mitiga, however, stresses that this is not a vulnerability, or system error – it’s described as a “dangerous functionality”.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
No exploitable flaw
Mitiga notes that threat actors could use an exposed metadata API, named “getSerialPortOutput”, which usually tracks and reads locks on serial ports.
The researchers described the API call as a “legacy method of debugging systems”, as serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, given that this is Linux.
“We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw,” the report reads.
After disclosing the findings to Google, the company agreed the misconfiguration could be used to bypass firewall settings. Mitiga suggested Google change two things in the getSerialPortOutput function – restrict its use only to accounts with high permissions, and allow firms to disable any addition or alteration of Compute VM metadata at runtime.
Furthermore, the company recommended Google revise its GCP documentation, to further clarify that firewalls and other network access controls don’t fully restrict access to VMs.
Google only partially agreed: “After a long exchange, Google did ultimately concur that certain portions of their documentation could be made clearer and agreed to make changes to documentation that indicated the control plane can access VMs regardless of firewall settings. Google did not acknowledge the other recommendations nor speak to specifics regarding whether a GCP user could evade charges by using the getSerialPortOutput method,” the report states.
Go to Source