Security Experts:

Google Working on Patching GCP Vulnerability That Allows VM Takeover

A security researcher has disclosed the details of a vulnerability that can be exploited to take over virtual machines (VMs) on Google Cloud Platform.

The researcher, Imre Rad, detailed his findings in a post made public last week on GitHub. The issue was reported to Google in late September 2020 and it was confirmed by the tech giant. Rad decided to disclose the vulnerability due to Google’s failure to fix the issue and provide information on its progress.

Google Cloud Platform vulnerability Rad described it as an unpatched vulnerability, but Google says it has taken some steps to prevent the more dangerous exploitation scenarios. In addition, Google does not have a problem with researchers disclosing vulnerabilities after 90 days if the company hasn’t been able to patch them.

According to the researcher, the issue affects Google Compute Engine — which enables users to create and run VMs on Google’s infrastructure — and it’s related to the Internet Systems Consortium’s (ISC) DHCP software.

Rad said that while ISC could make some improvements to its product, the vulnerability actually exists due to how the DHCP software is used by Google. The security hole exists due to “weak random numbers used by the ISC DHCP software and an unfortunate combination of additional factors.”

The vulnerability can be exploited by an attacker to gain full root access to the targeted VM by sending specially crafted DHCP packets.

“By taking over a VM I meant getting full root access to the VM and thus accessing all the contents/services/functionality hosted there. E.g. data stored locally on the VM (intellectual property, databases with PII content and similar). Also, by getting into a VM an attacker would also get access to all Google services (e.g. Cloud SQL or similar) the ‘service account’ that is assigned to the VM has permissions to,” the researcher explained.

He has described three different possible attack scenarios and the ones that are more likely to actually be exploited by malicious actors require the attacker to be on the same subnetwork — i.e. have access to one of multiple VMs in the same project — but attacks from the internet were also possible in certain cases.

“[The attacks requiring access to the same subnet] are relatively easy to launch, so I see chances of real world exploitation,” Rad told SecurityWeek. “Doing the whole attack completely

from the outside is trickier; in my tests successful exploitation required to flood the target with a really huge amount of DHCP packets, so I don't think this technique would be used to mass-infect thousands of hosts. Targeted attacks sound more likely.”

The researcher said in his disclosure that the vulnerability had not been patched as of June 25. However, according to Google, while a complete patch is still in progress, the company has deployed a mitigation to prevent exploitation of the flaw from the internet and external VMs on Google Compute Engine.

For organizations whose projects include untrusted internal traffic, Google recommends ensuring that the incoming UDP port 68 is blocked by a firewall to prevent malicious activity.

The researcher has tested the attack against other cloud providers as well, but they do not appear to be affected.

Related: Google Patches Privilege Escalation Vulnerability in Cloud Service

Related: Google Offering Higher Bonuses for Cloud Platform Vulnerabilities

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.