medium

GCP Default compute account is project Editor

Published Sun, Nov 22nd, 2020

Platforms

Summary

When the compute API is enabled on a GCP Project, the default compute account is created. This account gets the primitive role Editor assigned by default, which allows for a wide variety of privilege excalation and resource abuse in the project. Especially, all new VMs created inherit this permissions by default. This issue is arguably a technical decision by GCP, but the documents advise customers to undo this.

Affected Services

N/A

Remediation

Remove these permissions, it can be done via an organization policy

Tracked CVEs

No tracked CVEs

References

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants

Contributed by https://github.com/louisdurufle

Entry Status

Finalized

Disclosure Date

Exploitablity Period

Since the creation of GCP

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Louis Duruflé-Seta

More vulnerabilities...

medium

SSRF in Google Cloud Monitoring

An SSRF bug in Google Cloud Monitoring's uptime check feature could have been used to leak the authentication token of the service account used for these checks. The issue was resolved but later by...

David Nechuta

Thu, Nov 12th, 2020

low

Route table modification to imitate metadata service

An attacker with sufficient privileges in AWS to modify the route table and some other EC2 privileges, could pretend to be a metadata server and provide an attacker controlled bootup script to EC2s...

Ryan Gerstenkorn

Mon, Oct 19th, 2020

low

Enumeration of Privileges Without Being Logged to CloudTrail

An attacker who gained access to IAM credentials could enumerate a subset of the privileges they had access to without logging to CloudTrail. This would allow them to perform the typically noisy pe...

Nick Frichette

Sat, Oct 17th, 2020

View all