Summary
GCP administrators face challenges in managing HMAC keys within their organizations,
lacking visibility into which user accounts have generated these keys and whether they are
actively being used to access storage objects. Additionally, there's a lack of functionality
to revoke keys associated with other users, restricting their ability to enforce security
policies effectively. Similarly, GCP incident response teams rely on Cloud Logging to monitor
Cloud Storage object access, but they lack specific indicators to determine if HMAC keys are
being utilized in these access attempts.
Affected Services
Google Cloud Storage XML API, Google Cloud IAM
Remediation
No full remediation is possible at this time. While various containment actions, such as suspending
or deleting compromised user accounts, may initially seem effective by rejecting previously created
Sigv4 signed headers, reactivating or recreating the same user allows the reuse of credentials
unless they have expired. Furthermore, removing Cloud IAM Roles can revoke access to affected storage
resources. However, it's important to note that reassigning roles does not invalidate previously
created Sigv4 signed headers, allowing them to continue functioning even after the role change.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/KatTraxler
Disclosure Date
Wed, Feb 7th, 2024
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Kat Traxler, Vectra AI
