On many occasions we run into vulnerabilities that can affect the proper functioning of the equipment and systems we use. This time it is a security flaw that puts Google Cloud virtual machines at risk . A group of cybersecurity researchers has found this problem that could be exploited and allow unwanted access by an intruder with root permissions.
A bug puts Google Cloud at risk
This group of security researchers , who have published all the technical details on GitHub , have indicated that it is a vulnerability that allows phishing. An attacker could take over a virtual machine on the Google Cloud platform over the network. This can occur due to weak random numbers that are used by the ISC software on the DHCP client.
What it basically does is spoof the metadata server on the target virtual machine. This is how the attacker could get administrator permissions and have access through SSH.
For this to happen, security researchers show, it consists of three components. One of them is the current unique time when the process starts, another is the dhclient process control algorithm, and the third is the sum of the last four bytes of the MAC addresses of the network cards.
They indicate that one of these three components is public, since the last digits of the MAC address correspond to the last digits of the internal IP address. Also, the dhclient process control algorithm is predictable, as the Linux kernel maps it in a linear fashion. They also didn’t find too much trouble predicting the single time to start the process.
The attacker would have to create different DHCP packets and use a set of precalculated XIDs. In this way it manages to flood the victim’s dhclient. In case that XID is correct, the virtual machine would apply the network settings. It could reconfigure the victim’s network stack.
In what scenarios could the virtual machine attack
Also, this group of security researchers have indicated in which scenarios it would be possible for an attacker to actually target a virtual machine. They have shown three possible scenarios with which they could get full access.
One such scenario is when you are pointing to the virtual machine on the same subnet while rebooting . For this, the attacker would need the presence of another host.
Another possibility is that it points to a virtual machine on the same subnet, while the lease is updated , something that would not require a reboot. This happens every half hour.
The third possibility is to attack the virtual machine over the Internet. This would require that the victim’s firewall be completely open . It would be an unlikely scenario, as they indicate. Also, you would need to guess the internal IP address of the victim.
This group of security researchers have created a proof of concept that we can see on GitHub . Beyond solving errors when uploading files to Drive or any cloud service, we must also be aware of the importance of installing all the patches that are available. In this way we can avoid failures of this type.