Security News > 2021 > June > You can hijack Google Cloud VMs using DHCP floods, says this guy, once the stars are aligned and...

Google Compute Engine virtual machines can be hijacked and made to hand over root shell access via a cunning DHCP attack, according to security researcher Imre Rad. Though the weakness remains unpatched, there are some mitigating factors that diminish the potential risk.

A successful attack involves overloading a victim's VM with DHCP traffic so that it ends up using a rogue attacker-controlled metadata server, which can be on the same network or on the other side of the internet.

The DHCP flood would typically come from a neighboring attacker-controlled system hosted within Google Cloud.

So the idea is to hit the victim VM with a stream of DHCP packets, with a best guess for the XID, until the dhclient accepts them over Google's legit DHCP server packets, at which point you can configure the network stack on the victim VM to use the rogue metadata server by aliasing Google server hostnames.

Suggested defense techniques include not referring to the metadata server using its virtual hostname, not managing the virtual hostname via DHCP, securing metadata server communication using TLS, and blocking UDP on Ports 67/68 between VMs. Google was said to be informed of this issue back in September 2020.

We imagine Google Cloud may have some defenses in place, such as detection of weird DHCP traffic, for one.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/30/gce_vm_vulnerability/