irsl / gcp-dhcp-takeover-code-exec

Google Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent
533 stars 35 forks source link

Hotfix in new GCE Debian image #6

Open ramshazar opened 3 years ago

ramshazar commented 3 years ago

Google changed the script "google_set_hostname": https://github.com/GoogleCloudPlatform/guest-configs/commit/fac404b447e7dee8813bca13b37436a23add5b18#diff-5b7b2f3606d3cd6fc72670c3a7a34873df730bab794d3004382d34240fff1be8

This has been release with the new image version: https://console.cloud.google.com/compute/imagesDetail/projects/debian-cloud/global/images/debian-10-buster-v20210701

To verify that the change is in the image follow these steps:

I did not check if this stops the attack and if it is sufficient. I just wanted to note that they addressed the issue somehow.

irsl commented 3 years ago

Thanks for this follow up. There is a known bypass of the security measure added into the Google image, so relying on it solely is not yet recommended.