A misconfiguration in Google Cloud Platform has been discovered that could give threat actors full control over a target virtual machine (VM) endpoint, researchers have said.
In a blog post published by cloud incident response experts Mitiga, the company noted that by (ab)using legitimate system functionality, potential attackers could read and write data from virtual machines, which could , in theory, result in a complete system takeover.
Mitiga, however, emphasizes that this is not a vulnerability or a system error – it’s described as a “dangerous feature”.
No exploitable flaws
Mitiga notes that threat actors could use an exposed metadata API, named “getSerialPortOutput”, which typically tracks and reads locks on serial ports.
The researchers described the API call as a “legacy method of debugging systems” because serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, since this is Linux.
“At Mitiga, we believe this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment, there is no exploitable flaw,” the report states.
After disclosing the results to Google, the company agreed that the misconfiguration could be used to circumvent firewall settings. Mitiga suggested that Google change two things in the getSerialPortOutput function: restrict its use only to accounts with elevated permissions, and allow enterprises to disable any additions or changes to Compute VM metadata at runtime.
Additionally, the company recommended that Google revise its GCP documentation, to further clarify that firewalls and other network access controls do not completely restrict access to virtual machines.
Google only partially agrees: “After a long discussion, Google finally agreed that some parts of their documentation could be clarified and agreed to make changes to the documentation indicating that the control plane can access machines virtual, regardless of firewall settings. Google did not acknowledge the other recommendations or discuss details regarding a GCP user’s ability to evade charges using the getSerialPortOutput method,” the report said.