A bug puts Google Cloud at risk
East group of security researchers, which has posted all the technical details on GitHub, has indicated that this is a vulnerability that allows spoofing. An attacker could take over a virtual machine on the Google Cloud platform over the network. This can occur due to weak random numbers that are used by the ISC software on the DHCP client.
What it basically does is supplant the metadata server on the target virtual machine. This is how the attacker could get administrator permissions and have access through SSH.
For this to happen, security researchers show, it consists of three components. One of them is the current unique time when the process starts, another is the dhclient process control algorithm, and the third is the sum of the last four bytes of the MAC addresses of the network cards.
They indicate that one of these three components is public, since the last digits of the MAC address correspond to the last digits of the internal IP address. In addition, the dhclient process control algorithm it is predictable, since the Linux kernel maps it in a linear fashion. They also didn’t find too much trouble predicting the single time to start the process.
The attacker would have to create different DHCP packets and use a set of precalculated XIDs. In this way it manages to flood the victim’s dhclient. In case that XID is correct, the virtual machine would apply the network settings. It could reconfigure the victim’s network stack.
In what scenarios could the virtual machine attack
Also, this group of security researchers have indicated in which scenarios it would be possible for an attacker to actually target a virtual machine. They have shown three possible scenarios with which they could get full access.
One such scenario is when you point to the virtual machine in the same subnet while rebooting. For this, the attacker would need the presence of another host.
Another possibility is that it points to a virtual machine on the same subnet, while the concession is updated, something that would not require a reboot. This happens every half hour.
The third possibility is to attack the virtual machine over the Internet. This would require that the firewall of the victim was fully open. It would be an unlikely scenario, as they indicate. Also, you would need to guess the internal IP address of the victim.
This group of security researchers have created a proof of concept that we can see on GitHub. Beyond solving errors when uploading files to Drive or any cloud service, we must also be aware of the importance of installing all the patches that are available. In this way we can avoid failures of this type.
