low

GCP HMAC Keys do not log creation, deletion or usage

Published Mon, Jun 17th, 2024

Platforms

Summary

Cloud Audit Logs do not capture actions mediated through the cloud console private API service (cloudconsole-pa). Consequently, there is no logging of HMAC key creation or deletion linked to user accounts. This absence of logs hampers defenders' ability to alert or monitor the creation of HMAC keys for user accounts, posing a persistence risk, or their deletion, presenting a denial of service risk.

Affected Services

Google Cloud Storage XML API, Cloud Console Private API Service

Remediation

None possible

Tracked CVEs

No tracked CVEs

References

https://www.vectra.ai/blog/working-as-intended-the-unauditable-unmanageable-keys-in-google-cloud

Contributed by https://github.com/KatTraxler

Entry Status

Finalized

Disclosure Date

Wed, Feb 7th, 2024

Exploitablity Period

Ongoing

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Kat Traxler, Vectra AI

More vulnerabilities...

Azure Machine Learning SSRF

Tenable, Wiz

Mon, Jun 17th, 2024

Internal Azure Container Registry writable via exposed secret

A Microsoft employee accidentally published credentials via a git commit to a public repository. These credentials granted privileged access to an internal Azure Container Registry (ACR) used by Az...

Yakir Kadkoda, Assaf Morag,...

Thu, May 16th, 2024

critical

Lethal Injection

Multiple vulnerabilities were uncovered in Azure Health Bot service, Microsoft's health chatbot platform. These could have potentially exposed sensitive user data and granted attackers extensive co...

Yanir Tsarimi, Breachproof

Tue, May 7th, 2024

View all