Google Cloud Security Issue Even Firewalls Can’t Stop:
In a blog post published by cloud incident response experts Mitiga, the company noted that by (ab)using legitimate system features, potential attackers could read and write data from VMs which could, in theory, result in a complete system takeover.
Mitiga, however, stresses that this is not a vulnerability, or system error – it’s described as a “dangerous functionality”.
No exploitable flaw
Mitiga notes that threat actors could use an exposed metadata API, named “getSerialPortOutput”, which usually tracks and reads locks on serial ports.
The researchers described the API call as a “legacy method of debugging systems”, as serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, given that this is Linux.
“We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw,” the report reads.
After disclosing the findings to Google, the company agreed that misconfiguration could be used to bypass firewall settings. Mitiga suggested Google change two things in the getSerialPortOutput function – restrict its use only to accounts with high permissions, and allow firms to disable any addition or alteration of Compute VM metadata at runtime.
Furthermore, the company recommended Google revise its GCP documentation, to further clarify that firewalls and other network access controls don’t fully restrict access to VMs.
Google only partially agreed: “After a long exchange, Google did ultimately concur that certain portions of their documentation could be made clearer and agreed to make changes to documentation that indicated the control plane can access VMs regardless of firewall settings. Google did not acknowledge the other recommendations nor speak to specifics regarding whether a GCP user could evade charges by using the getSerialPortOutput method,” the report states.