CVE-2020-8903 : A vulnerability in Google Cloud Platform's guest-oslogin versions between 201903

A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "adm" group, users with this role are able to read the DHCP XID from the systemd journal. Using the DHCP XID, it is then possible to set the IP address and hostname of the instance to any value, which is then stored in /etc/hosts. An attacker can then point metadata.google.internal to an arbitrary IP address and impersonate the GCE metadata server which make it is possible to instruct the OS Login PAM module to grant administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "adm" user from the OS Login entry.

Published 2020-06-22 14:15:12

Updated 2024-05-21 05:15:50

Source Google Inc.

View at NVD, CVE.org

Products affected by CVE-2020-8903

Google » Guest-oslogin
Versions from including (>=) 20190304.00 and up to, including, (<=) 20200507.00
cpe:2.3:a:google:guest-oslogin:*:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.2
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-8903

EPSS FAQ

0.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-8903

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
6.7	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H	0.8	5.9	Google Inc.
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-8903

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.
Assigned by:
- cve-coordination@google.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2020-8903

https://cloud.google.com/support/bulletins/#gcp-2020-008

Google Cloud Platform Security Bulletins | Support
Vendor Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00047.html

[security-announce] openSUSE-SU-2020:1014-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00037.html

[security-announce] openSUSE-SU-2020:0996-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020

oslogin-privesc-june-2020 · master · GitLab.com / GitLab Security Department / GitLab Red Team / Red Team Tech Notes · GitLab
Exploit;Third Party Advisory

CVEs referencing this url
https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29

Remove OS Login users from admin groups. by illfelder · Pull Request #29 · GoogleCloudPlatform/guest-oslogin · GitHub
Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-8903

Products affected by CVE-2020-8903

Exploit prediction scoring system (EPSS) score for CVE-2020-8903

CVSS scores for CVE-2020-8903

CWE ids for CVE-2020-8903

References for CVE-2020-8903