Connect with us

Hi, what are you looking for?


Cloud Security

Google Working on Patching GCP Vulnerability That Allows VM Takeover

A security researcher has disclosed the details of a vulnerability that can be exploited to take over virtual machines (VMs) on Google Cloud Platform.

A security researcher has disclosed the details of a vulnerability that can be exploited to take over virtual machines (VMs) on Google Cloud Platform.

The researcher, Imre Rad, detailed his findings in a post made public last week on GitHub. The issue was reported to Google in late September 2020 and it was confirmed by the tech giant. Rad decided to disclose the vulnerability due to Google’s failure to fix the issue and provide information on its progress.

Google Cloud Platform vulnerability Rad described it as an unpatched vulnerability, but Google says it has taken some steps to prevent the more dangerous exploitation scenarios. In addition, Google does not have a problem with researchers disclosing vulnerabilities after 90 days if the company hasn’t been able to patch them.

According to the researcher, the issue affects Google Compute Engine — which enables users to create and run VMs on Google’s infrastructure — and it’s related to the Internet Systems Consortium’s (ISC) DHCP software.

Rad said that while ISC could make some improvements to its product, the vulnerability actually exists due to how the DHCP software is used by Google. The security hole exists due to “weak random numbers used by the ISC DHCP software and an unfortunate combination of additional factors.”

The vulnerability can be exploited by an attacker to gain full root access to the targeted VM by sending specially crafted DHCP packets.

“By taking over a VM I meant getting full root access to the VM and thus accessing all the contents/services/functionality hosted there. E.g. data stored locally on the VM (intellectual property, databases with PII content and similar). Also, by getting into a VM an attacker would also get access to all Google services (e.g. Cloud SQL or similar) the ‘service account’ that is assigned to the VM has permissions to,” the researcher explained.

He has described three different possible attack scenarios and the ones that are more likely to actually be exploited by malicious actors require the attacker to be on the same subnetwork — i.e. have access to one of multiple VMs in the same project — but attacks from the internet were also possible in certain cases.

Advertisement. Scroll to continue reading.

“[The attacks requiring access to the same subnet] are relatively easy to launch, so I see chances of real world exploitation,” Rad told SecurityWeek. “Doing the whole attack completely

from the outside is trickier; in my tests successful exploitation required to flood the target with a really huge amount of DHCP packets, so I don’t think this technique would be used to mass-infect thousands of hosts. Targeted attacks sound more likely.”

The researcher said in his disclosure that the vulnerability had not been patched as of June 25. However, according to Google, while a complete patch is still in progress, the company has deployed a mitigation to prevent exploitation of the flaw from the internet and external VMs on Google Compute Engine.

For organizations whose projects include untrusted internal traffic, Google recommends ensuring that the incoming UDP port 68 is blocked by a firewall to prevent malicious activity.

The researcher has tested the attack against other cloud providers as well, but they do not appear to be affected.

Related: Google Patches Privilege Escalation Vulnerability in Cloud Service

Related: Google Offering Higher Bonuses for Cloud Platform Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...