Security News > 2021 > June > Google Working on Patching GCP Vulnerability That Allows VM Takeover
A security researcher has disclosed the details of a vulnerability that can be exploited to take over virtual machines on Google Cloud Platform.
Rad decided to disclose the vulnerability due to Google's failure to fix the issue and provide information on its progress.
Google does not have a problem with researchers disclosing vulnerabilities after 90 days if the company hasn't been able to patch them.
According to the researcher, the issue affects Google Compute Engine - which enables users to create and run VMs on Google's infrastructure - and it's related to the Internet Systems Consortium's DHCP software.
"By taking over a VM I meant getting full root access to the VM and thus accessing all the contents/services/functionality hosted there. E.g. data stored locally on the VM. Also, by getting into a VM an attacker would also get access to all Google services the 'service account' that is assigned to the VM has permissions to," the researcher explained.
According to Google, while a complete patch is still in progress, the company has deployed a mitigation to prevent exploitation of the flaw from the internet and external VMs on Google Compute Engine.