Misconfiguration leaves ‘firewalled’ Google Cloud exposed - report
A dangerous functionality could allow adversaries to remotely access a network deemed secure from outside intruders.
Likely a common misconfiguration of Google Cloud systems could leave the network exposed to capable adversaries, researchers at Mitiga, a Cloud Incident Response Company, claim.
“We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw,” Andrew Johnston, Principal Consultant at Mitiga, writes.
Researchers discovered an application programming interface (API) method (getSerialPortOutput) that enables users to retrieve output from serial ports. Researchers claim that in Linux systems, ‘ports’ are files of a specific form.
“This API represented an interesting opportunity: the cloud control plane would allow us to read data from these serial ports, but from the VM’s perspective, writing to a serial port was a local action in that it did not require connectivity to a foreign system,” Johnston claims.
According to the report, researchers successfully created a firewall-protected virtual machine (VM) within the Google Cloud Platform and were able to read data from its serial ports via the cloud control plane.
The cloud control plane is part of a network that carries information necessary to establish and control the network.
Interestingly, the communication between VM and control plane would not be entirely visible to an administrator as the traffic is classified ‘GOOGLE_INTERNAL.’
“By itself, this API represents not much more than a stealthy method of exfiltration. While interesting, it would be much more powerful if we could identify a companion API method that would enable an adversary to send data to the machine,” Johnston wrote.
One of these ‘companion methods’ calls back to Google Cloud’s feature that enabled users with appropriate permissions to modify machine metadata at runtime. Paired with getSerialPortOutput, it could allow for a full feedback loop and develop C2 capabilities.
Researchers found that they could write a script that enabled them to control the VM remotely using the two API methods.
“Since any script included in user data is run as root, we further can leverage this method to ensure our malware has full administrative access to the system,” Johnston explained.
While exploiting Google Cloud’s functionalities requires relevant permissions to the targeted systems, getSerialPortOutput is often available to low-permission ‘viewer’ roles.
“This is concerning given that getSerialPortOutput enables exfiltration regardless of how firewalls are configured. An adversary could potentially use this method to stealthily exfiltrate from a system which the adversary gained access to via a traditional method,” reads the blog post.
Mitiga came to an agreement with Google that their findings do not represent a ‘vulnerability’ in a technical sense but a potentially problematic permissions model within the Google Cloud Platform.
Somewhat similar malign feature was discovered to plague Micrisoft’s Azure last November. According to researchers, once new employees join an organization, they might be added to a 'group permission' within the Azure active directory tenancy.
On its own merit, that's nothing to be concerned with and benefits the organization since group permission can be role-specific.
However, if threat actors took over an account that has the permission to change a specific group's owners or add group members, they could exploit the group permission feature to on-prem domain compromise.
Several permissions could allow a threat actors to gain access to all OneDrive directories that belong to an organization. Overly generous access permission could even lead to an attacker taking hold of victims' Office365 services.
More from Cybernews:
Subscribe to our newsletter