Skip to main content

Google Cloud VMs vulnerable to hijack

Cloud Security
(Image credit: laymanzoom / Shutterstock)

Cybersecurity researcher Imre Rad has disclosed a potential vulnerability that can be exploited to get root access to virtual machines (VM) running on Google Cloud

Specifically, the attack exploits a weakness in Google Compute Engine (GCE), which is Google Cloud’s Infrastructure-as-a-Service (IaaS) product.

Rad explains that attackers can take over GCE VMs by taking advantage of a weakness in the random number generator of the ISC DHCP server they use by default, together with “an unfortunate combination of additional factors".

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

“[The hijacking] is done by impersonating the metadata server from the targeted virtual machine's point of view. By mounting this exploit, the attacker can grant access to themselves over SSH (public key authentication) so then they can login as the root user,” writes Rad.

Probable, but impractical?

In his writeup, Rad explains that the attack consists of two phases. The first involves overloading a victim's VM with DHCP traffic in order to get it to use a malicious attacker-controlled metadata server instead of an official Google one. 

Once the victim’s VM is listening to the rogue metadata server for configuration information, the attacker can send across their SSH public key and gain root access to the VM.

Rad says his technique is inspired by an attack vector shared last by Chris Moberly, another security researcher.

Parsing Rad’s information, The Register is of the opinion that the attack is impractical, despite the fact that Rad reproduces three proof of concepts that successfully exploit the vulnerability.

Rad says he reported the vulnerability to Google in September 2020, but hasn’t heard back since. He suspects that, since Google hasn’t closed his bug report, there could be “some technical complexity” that prevents them from deploying a network-level remediation.

Google did not respond immediately to our request for clarification.

Update:

On background, Google told TechRadar Pro it has taken steps to prevent the exploitation of the vulnerability through either the internet or external VM IP traffic, although a complete mitigation has not yet been deployed.

According to Google, customers with untrusted internal traffic would be wise to ensure the incoming UDP port 68 is blocked by firewalls to head off malicious activity.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.