Google Cloud apparently has a security issue even firewalls can't stop

(Image credit: Google)

A misconfiguration in Google Cloud Platform has been found which could give threat actors full control over a target virtual machine (VM) endpoint, researchers have said.

In a blog post published by cloud incident response experts Mitiga, the company noted that by (ab)using legitimate system features, potential attackers could read and write data from VMs which could, in theory, result in a complete system takeover.

Mitiga, however, stresses that this is not a vulnerability, or system error - it’s described as a “dangerous functionality”.

No exploitable flaw

Mitiga notes that threat actors could use an exposed metadata API, named “getSerialPortOutput”, which usually tracks and reads locks on serial ports.

The researchers described the API call as a “legacy method of debugging systems”, as serial ports are not ports in the TCP/UP sense, but rather files of the form /dev/ttySX, given that this is Linux.

"We at Mitiga believe that this misconfiguration is likely common enough to warrant concern; however, with proper access control to the GCP environment there is no exploitable flaw," the report reads.

After disclosing the findings to Google, the company agreed the misconfiguration could be used to bypass firewall settings. Mitiga suggested Google change two things in the getSerialPortOutput function - restrict its use only to accounts with high permissions, and allow firms to disable any addition or alteration of Compute VM metadata at runtime.

> Google Cloud is about to get a whole lot more expensive

> New Google Cloud service gives media firms access to YouTube infrastructure

> Google Cloud is still losing buckets of money

Furthermore, the company recommended Google revise its GCP documentation, to further clarify that firewalls and other network access controls don’t fully restrict access to VMs.

Google only partially agreed: "After a long exchange, Google did ultimately concur that certain portions of their documentation could be made clearer and agreed to make changes to documentation that indicated the control plane can access VMs regardless of firewall settings. Google did not acknowledge the other recommendations nor speak to specifics regarding whether a GCP user could evade charges by using the getSerialPortOutput method," the report states.

If you're looking for best cloud hosting service providers, we have you covered

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.