CVE-2020-8907 in Cloud Platform guest-oslogin
Summary
by MITRE
A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "docker" group, an attacker with this role is able to run docker and mount the host OS. Within docker, it is possible to modify the host OS filesystem and modify /etc/groups to gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "docker" user from the OS Login entry.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/26/2020
This vulnerability represents a critical privilege escalation flaw in Google Cloud Platform's guest-oslogin implementation affecting versions between March 4, 2019 and May 7, 2020. The issue stems from insufficient access control mechanisms that allow users with minimal permissions to gain root-level system access through a combination of containerization and filesystem manipulation techniques. The vulnerability specifically targets the oslogin service which manages user authentication and authorization for Compute Engine instances, creating a dangerous gap in the principle of least privilege enforcement.
The technical exploitation pathway begins with a user possessing only the "roles/compute.osLogin" role, which should theoretically provide limited login capabilities without administrative privileges. However, attackers can leverage their membership in the "docker" group to execute containerized processes that can mount the host operating system filesystem. This creates a direct attack surface where container isolation is bypassed, allowing malicious code execution within the container environment to directly manipulate host-level filesystem structures. The vulnerability is categorized under CWE-276 as improper privilege management, specifically involving inadequate access control enforcement.
The operational impact of this vulnerability is severe as it enables attackers to achieve complete system compromise with relatively low-privilege initial access. Once inside a container environment, attackers can modify critical system files including /etc/group, effectively adding themselves to administrative groups or creating new root-level accounts. This technique allows for persistent access and system-wide control without requiring additional escalation vectors. The attack methodology aligns with ATT&CK technique T1068 which describes privilege escalation through the exploitation of system vulnerabilities, and T1496 which covers resource hijacking through container manipulation.
The fix implemented by Google addresses the root cause by modifying the oslogin service behavior in images created after May 7, 2020, ensuring that containerized processes cannot mount or modify host filesystems in ways that would enable privilege escalation. For organizations unable to update immediately, the recommended mitigation involves manually editing the /etc/group and security.conf files to remove the docker user from OS Login entries, effectively breaking the attack chain. This remediation approach follows the principle of defense in depth by implementing multiple layers of protection against similar vulnerabilities in the future.
The vulnerability demonstrates the critical importance of proper container isolation mechanisms and access control enforcement in cloud environments. It highlights how seemingly minor permission assignments can create significant security risks when combined with containerization technologies. Organizations should implement comprehensive monitoring for unauthorized container access patterns and ensure regular updates to cloud platform components to prevent exploitation of similar privilege escalation vulnerabilities in the future. The incident underscores the necessity of continuous security auditing and proper segregation of duties in cloud infrastructure management.