CVE-2020-8933

A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using the membership to the "lxd" group, an attacker can attach host devices and filesystems. Within an lxc container, it is possible to attach the host OS filesystem and modify /etc/sudoers to then gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "lxd" user from the OS Login entry.

CVSS v3.0 7.8 HIGH
CVSS v2.0 6.9 MEDIUM

7.8^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29	Patch Third Party Advisory
https://cloud.google.com/support/bulletins/#gcp-2020-008	Vendor Advisory
https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020	Exploit Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00037.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00047.html	Mailing List Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:guest-oslogin:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:15.2:::::::*

Information

Published : 2020-06-22 07:15

Updated : 2022-09-30 16:14

NVD link : CVE-2020-8933

Mitre link : CVE-2020-8933

JSON object : View

CWE

CWE-276

Incorrect Default Permissions

Advertisement

Products Affected

google

guest-oslogin

opensuse

leap

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29", "name": "https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29", "tags": ["Patch", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://cloud.google.com/support/bulletins/#gcp-2020-008", "name": "https://cloud.google.com/support/bulletins/#gcp-2020-008", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020", "name": "https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00037.html", "name": "openSUSE-SU-2020:0996", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "SUSE"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00047.html", "name": "openSUSE-SU-2020:1014", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "SUSE"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role \"roles/compute.osLogin\" to escalate privileges to root. Using the membership to the \"lxd\" group, an attacker can attach host devices and filesystems. Within an lxc container, it is possible to attach the host OS filesystem and modify /etc/sudoers to then gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the \"lxd\" user from the OS Login entry."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-276"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-8933", "ASSIGNER": "security@google.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}}, "publishedDate": "2020-06-22T14:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:google:guest-oslogin:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "20200507.00", "versionStartIncluding": "20190304.00"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-09-30T23:14Z"}