From cd98929656b0be8dbf5ac49246423038402d84a1 Mon Sep 17 00:00:00 2001 From: Rami McCarthy Date: Wed, 27 Sep 2023 23:44:59 -0400 Subject: [PATCH 1/7] Closes #245: Add GCP Bulletins --- .../gcp-anthos-predictable-seed.yaml | 29 +++++++++++++++++ .../gcp-cloudsql-tempdb-privesc.yaml | 31 +++++++++++++++++++ .../gcp-dropped-cloudarmor-policy.yaml | 29 +++++++++++++++++ .../gcp-gke-autopilot-privesc.yaml | 31 +++++++++++++++++++ vulnerabilities/gcp-gke-hyperthreading.yaml | 31 +++++++++++++++++++ 5 files changed, 151 insertions(+) create mode 100644 vulnerabilities/gcp-anthos-predictable-seed.yaml create mode 100644 vulnerabilities/gcp-cloudsql-tempdb-privesc.yaml create mode 100644 vulnerabilities/gcp-dropped-cloudarmor-policy.yaml create mode 100644 vulnerabilities/gcp-gke-autopilot-privesc.yaml create mode 100644 vulnerabilities/gcp-gke-hyperthreading.yaml diff --git a/vulnerabilities/gcp-anthos-predictable-seed.yaml b/vulnerabilities/gcp-anthos-predictable-seed.yaml new file mode 100644 index 0000000..32d973d --- /dev/null +++ b/vulnerabilities/gcp-anthos-predictable-seed.yaml @@ -0,0 +1,29 @@ +title: Predictable seed used to generate keys in Anthos Identity Service LDAP module +slug: gcp-anthos-predictable-seed +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Anthos +image: https://images.unsplash.com/photo-1607217237228-a8b69908bad6?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3270&q=80 +severity: Low +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2021/09/29 +exploitabilityPeriod: null +knownITWExploitation: null +summary: | + There is a known issue where updating a BackendConfig resource + using the v1beta1 API removes an active Google Cloud Armor + security policy from its service. +manualRemediation: | + Dropped Cloud Armor security policies must be manually reattached. +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#gcp-2022-009 +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-009 \ No newline at end of file diff --git a/vulnerabilities/gcp-cloudsql-tempdb-privesc.yaml b/vulnerabilities/gcp-cloudsql-tempdb-privesc.yaml new file mode 100644 index 0000000..2a5435c --- /dev/null +++ b/vulnerabilities/gcp-cloudsql-tempdb-privesc.yaml @@ -0,0 +1,31 @@ +title: Privilege escalation in GCP Cloud SQL via tempdb +slug: gcp-cloudsql-tempdb-privesc +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Cloud SQL +image: https://images.unsplash.com/photo-1595742446666-c51b9fee49c2?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxzZWFyY2h8M3x8dGVtcG9yYXJ5fGVufDB8MHwwfHx8MA%3D%3D&auto=format&fit=crop&w=900&q=60 +severity: High +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2023/06/02 +exploitabilityPeriod: null +knownITWExploitation: null +summary: | + A vulnerability was recently discovered in Cloud SQL for SQL Server + that allowed customer administrator accounts to create triggers + in the tempdb database and use those to gain sysadmin privileges in the instance. + The sysadmin privileges would give the attacker access to system databases + and partial access to the machine running that SQL Server instance. +manualRemediation: | + None required +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#GCP-2023-007 +- https://cloud.google.com/sql/docs/security-bulletins#gcp-2023-007 \ No newline at end of file diff --git a/vulnerabilities/gcp-dropped-cloudarmor-policy.yaml b/vulnerabilities/gcp-dropped-cloudarmor-policy.yaml new file mode 100644 index 0000000..74db973 --- /dev/null +++ b/vulnerabilities/gcp-dropped-cloudarmor-policy.yaml @@ -0,0 +1,29 @@ +title: Dropped active Google Cloud Armor security policy +slug: gcp-dropped-cloudarmor-policy +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Cloud Armor +image: https://images.unsplash.com/photo-1607217237228-a8b69908bad6?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3270&q=80 +severity: Low +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2021/09/29 +exploitabilityPeriod: null +knownITWExploitation: null +summary: | + There is a known issue where updating a BackendConfig resource + using the v1beta1 API removes an active Google Cloud Armor + security policy from its service. +manualRemediation: | + Dropped Cloud Armor security policies must be manually reattached. +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#gcp-2022-009 +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-009 \ No newline at end of file diff --git a/vulnerabilities/gcp-gke-autopilot-privesc.yaml b/vulnerabilities/gcp-gke-autopilot-privesc.yaml new file mode 100644 index 0000000..85050c3 --- /dev/null +++ b/vulnerabilities/gcp-gke-autopilot-privesc.yaml @@ -0,0 +1,31 @@ +title: GKE Autopilot cluster privilege esclation +slug: gke-autopilot-privesc +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Kubernetes Engine Autopilot +image: https://images.unsplash.com/photo-1628251721369-9bab0845261e?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3132&q=80 +severity: Low +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2022/03/01 +exploitabilityPeriod: null +knownITWExploitation: null +summary: | + Some unexpected paths to access the node VM on GKE Autopilot clusters + could have been used to escalate privileges in the cluster. The mechanisms + for escalation were an overly loose set of third party policy exemptions, + a pair of overly privileged pods, and privileged service accounts + in the default namespace. +manualRemediation: | + None required +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#gcp-2022-009 +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-009 \ No newline at end of file diff --git a/vulnerabilities/gcp-gke-hyperthreading.yaml b/vulnerabilities/gcp-gke-hyperthreading.yaml new file mode 100644 index 0000000..60aa9db --- /dev/null +++ b/vulnerabilities/gcp-gke-hyperthreading.yaml @@ -0,0 +1,31 @@ +title: Side channel attack against Simultaneous Multi-Threading +slug: gke-hyperthreading +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Kubernetes Image +image: https://images.pexels.com/photos/5371573/pexels-photo-5371573.jpeg?auto=compress&cs=tinysrgb&w=1260&h=750&dpr=2 +severity: Medium +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2023/06/02 +exploitabilityPeriod: null +knownITWExploitation: null +summary: | + There is a misconfiguration with Simultaneous Multi-Threading (SMT), + also known as Hyper-threading, on GKE Sandbox images. The + misconfiguration leaves nodes potentially exposed to side channel + attacks such as Microarchitectural Data Sampling (MDS) + (for more context, see GKE Sandbox documentation). +manualRemediation: | + None required +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#gcp-2022-011 +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-011 \ No newline at end of file From bc2a5d446e79cb406d1633a34de779a1ab3d02d5 Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Thu, 2 Nov 2023 13:08:44 +0200 Subject: [PATCH 2/7] Update and rename gcp-dropped-cloudarmor-policy.yaml to gcp-2021-019.yaml --- ...-dropped-cloudarmor-policy.yaml => gcp-2021-019.yaml} | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) rename vulnerabilities/{gcp-dropped-cloudarmor-policy.yaml => gcp-2021-019.yaml} (75%) diff --git a/vulnerabilities/gcp-dropped-cloudarmor-policy.yaml b/vulnerabilities/gcp-2021-019.yaml similarity index 75% rename from vulnerabilities/gcp-dropped-cloudarmor-policy.yaml rename to vulnerabilities/gcp-2021-019.yaml index 74db973..e6ceb5c 100644 --- a/vulnerabilities/gcp-dropped-cloudarmor-policy.yaml +++ b/vulnerabilities/gcp-2021-019.yaml @@ -1,5 +1,5 @@ title: Dropped active Google Cloud Armor security policy -slug: gcp-dropped-cloudarmor-policy +slug: gcp-2021-019 cves: null affectedPlatforms: - GCP @@ -19,11 +19,12 @@ knownITWExploitation: null summary: | There is a known issue where updating a BackendConfig resource using the v1beta1 API removes an active Google Cloud Armor - security policy from its service. + security policy from its service. If you do not configure Google Cloud Armor + on your Ingress resources via the BackendConfig, then this issue does not affect your clusters. manualRemediation: | Dropped Cloud Armor security policies must be manually reattached. detectionMethods: null contributor: https://github.com/ramimac references: -- https://cloud.google.com/support/bulletins#gcp-2022-009 -- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-009 \ No newline at end of file +- https://cloud.google.com/support/bulletins#gcp-2021-019 +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2021-019 From 7c646f1383b5a68e55a096d68a1b7f58e2048bc7 Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Thu, 2 Nov 2023 13:14:22 +0200 Subject: [PATCH 3/7] Update and rename gcp-anthos-predictable-seed.yaml to gcp-2021-022.yaml --- vulnerabilities/gcp-2021-022.yaml | 30 +++++++++++++++++++ .../gcp-anthos-predictable-seed.yaml | 29 ------------------ 2 files changed, 30 insertions(+), 29 deletions(-) create mode 100644 vulnerabilities/gcp-2021-022.yaml delete mode 100644 vulnerabilities/gcp-anthos-predictable-seed.yaml diff --git a/vulnerabilities/gcp-2021-022.yaml b/vulnerabilities/gcp-2021-022.yaml new file mode 100644 index 0000000..dcf5fa9 --- /dev/null +++ b/vulnerabilities/gcp-2021-022.yaml @@ -0,0 +1,30 @@ +title: Predictible seed in Anthos Identity Service LDAP module +slug: gcp-2021-022 +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Anthos +image: https://images.unsplash.com/photo-1458014854819-1a40aa70211c?auto=format&fit=crop&q=80&w=2070&ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D +severity: Low +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2021/09/22 +exploitabilityPeriod: Ongoing +knownITWExploitation: null +summary: | + A vulnerability was discovered in the Anthos Identity Service (AIS) LDAP module + of Anthos clusters on VMware versions 1.8 and 1.8.1 where a seed key used in generating + keys is predictable. With this vulnerability, an authenticated user could add arbitrary + claims and escalate privileges indefinitely. +manualRemediation: | + Upgrade your clusters to version 1.8.2. +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#gcp-2021-022 +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2021-022 diff --git a/vulnerabilities/gcp-anthos-predictable-seed.yaml b/vulnerabilities/gcp-anthos-predictable-seed.yaml deleted file mode 100644 index 32d973d..0000000 --- a/vulnerabilities/gcp-anthos-predictable-seed.yaml +++ /dev/null @@ -1,29 +0,0 @@ -title: Predictable seed used to generate keys in Anthos Identity Service LDAP module -slug: gcp-anthos-predictable-seed -cves: null -affectedPlatforms: -- GCP -affectedServices: -- Anthos -image: https://images.unsplash.com/photo-1607217237228-a8b69908bad6?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3270&q=80 -severity: Low -discoveredBy: - name: null - org: null - domain: null - twitter: null -disclosedAt: null -publishedAt: 2021/09/29 -exploitabilityPeriod: null -knownITWExploitation: null -summary: | - There is a known issue where updating a BackendConfig resource - using the v1beta1 API removes an active Google Cloud Armor - security policy from its service. -manualRemediation: | - Dropped Cloud Armor security policies must be manually reattached. -detectionMethods: null -contributor: https://github.com/ramimac -references: -- https://cloud.google.com/support/bulletins#gcp-2022-009 -- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-009 \ No newline at end of file From 2aa4ff94e20fd59811d860e5dfd7d3f3f9cf9e9b Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Thu, 2 Nov 2023 13:22:17 +0200 Subject: [PATCH 4/7] Update and rename gcp-cloudsql-tempdb-privesc.yaml to gcp-2023-007.yaml --- ...loudsql-tempdb-privesc.yaml => gcp-2023-007.yaml} | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) rename vulnerabilities/{gcp-cloudsql-tempdb-privesc.yaml => gcp-2023-007.yaml} (68%) diff --git a/vulnerabilities/gcp-cloudsql-tempdb-privesc.yaml b/vulnerabilities/gcp-2023-007.yaml similarity index 68% rename from vulnerabilities/gcp-cloudsql-tempdb-privesc.yaml rename to vulnerabilities/gcp-2023-007.yaml index 2a5435c..3a28942 100644 --- a/vulnerabilities/gcp-cloudsql-tempdb-privesc.yaml +++ b/vulnerabilities/gcp-2023-007.yaml @@ -1,12 +1,12 @@ -title: Privilege escalation in GCP Cloud SQL via tempdb -slug: gcp-cloudsql-tempdb-privesc +title: Privilege escalation in GCP Cloud SQL +slug: gcp-2023-007 cves: null affectedPlatforms: - GCP affectedServices: - Cloud SQL -image: https://images.unsplash.com/photo-1595742446666-c51b9fee49c2?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxzZWFyY2h8M3x8dGVtcG9yYXJ5fGVufDB8MHwwfHx8MA%3D%3D&auto=format&fit=crop&w=900&q=60 -severity: High +image: https://images.unsplash.com/photo-1544383835-bda2bc66a55d?auto=format&fit=crop&q=80&w=2036&ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D +severity: Medium discoveredBy: name: null org: null @@ -17,7 +17,7 @@ publishedAt: 2023/06/02 exploitabilityPeriod: null knownITWExploitation: null summary: | - A vulnerability was recently discovered in Cloud SQL for SQL Server + A vulnerability was discovered in Cloud SQL for SQL Server that allowed customer administrator accounts to create triggers in the tempdb database and use those to gain sysadmin privileges in the instance. The sysadmin privileges would give the attacker access to system databases @@ -28,4 +28,4 @@ detectionMethods: null contributor: https://github.com/ramimac references: - https://cloud.google.com/support/bulletins#GCP-2023-007 -- https://cloud.google.com/sql/docs/security-bulletins#gcp-2023-007 \ No newline at end of file +- https://cloud.google.com/sql/docs/security-bulletins#gcp-2023-007 From 7a7608ba646ffe92001345b5d4b4188ec8d4bde4 Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Thu, 2 Nov 2023 13:27:36 +0200 Subject: [PATCH 5/7] Update and rename gcp-gke-autopilot-privesc.yaml to gcp-2022-009.yaml --- .../{gcp-gke-autopilot-privesc.yaml => gcp-2022-009.yaml} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename vulnerabilities/{gcp-gke-autopilot-privesc.yaml => gcp-2022-009.yaml} (92%) diff --git a/vulnerabilities/gcp-gke-autopilot-privesc.yaml b/vulnerabilities/gcp-2022-009.yaml similarity index 92% rename from vulnerabilities/gcp-gke-autopilot-privesc.yaml rename to vulnerabilities/gcp-2022-009.yaml index 85050c3..655eeb9 100644 --- a/vulnerabilities/gcp-gke-autopilot-privesc.yaml +++ b/vulnerabilities/gcp-2022-009.yaml @@ -1,12 +1,12 @@ title: GKE Autopilot cluster privilege esclation -slug: gke-autopilot-privesc +slug: gcp-2022-009 cves: null affectedPlatforms: - GCP affectedServices: -- Kubernetes Engine Autopilot +- GKE Autopilot image: https://images.unsplash.com/photo-1628251721369-9bab0845261e?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3132&q=80 -severity: Low +severity: Medium discoveredBy: name: null org: null @@ -28,4 +28,4 @@ detectionMethods: null contributor: https://github.com/ramimac references: - https://cloud.google.com/support/bulletins#gcp-2022-009 -- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-009 \ No newline at end of file +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-009 From 704c4309802b74cf682faddcf09fadcd088ed934 Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Thu, 2 Nov 2023 13:45:15 +0200 Subject: [PATCH 6/7] Delete vulnerabilities/gcp-2022-009.yaml Duplicate of https://www.cloudvulndb.org/gke-autopilot-allowlist --- vulnerabilities/gcp-2022-009.yaml | 31 ------------------------------- 1 file changed, 31 deletions(-) delete mode 100644 vulnerabilities/gcp-2022-009.yaml diff --git a/vulnerabilities/gcp-2022-009.yaml b/vulnerabilities/gcp-2022-009.yaml deleted file mode 100644 index 655eeb9..0000000 --- a/vulnerabilities/gcp-2022-009.yaml +++ /dev/null @@ -1,31 +0,0 @@ -title: GKE Autopilot cluster privilege esclation -slug: gcp-2022-009 -cves: null -affectedPlatforms: -- GCP -affectedServices: -- GKE Autopilot -image: https://images.unsplash.com/photo-1628251721369-9bab0845261e?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3132&q=80 -severity: Medium -discoveredBy: - name: null - org: null - domain: null - twitter: null -disclosedAt: null -publishedAt: 2022/03/01 -exploitabilityPeriod: null -knownITWExploitation: null -summary: | - Some unexpected paths to access the node VM on GKE Autopilot clusters - could have been used to escalate privileges in the cluster. The mechanisms - for escalation were an overly loose set of third party policy exemptions, - a pair of overly privileged pods, and privileged service accounts - in the default namespace. -manualRemediation: | - None required -detectionMethods: null -contributor: https://github.com/ramimac -references: -- https://cloud.google.com/support/bulletins#gcp-2022-009 -- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-009 From 0161c16bc64144c8bbdacffead4cbd305c984d81 Mon Sep 17 00:00:00 2001 From: Amitai Cohen <71866656+korniko98@users.noreply.github.com> Date: Thu, 2 Nov 2023 13:50:47 +0200 Subject: [PATCH 7/7] Update and rename gcp-gke-hyperthreading.yaml to gcp-2022-011.yaml --- ...-hyperthreading.yaml => gcp-2022-011.yaml} | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) rename vulnerabilities/{gcp-gke-hyperthreading.yaml => gcp-2022-011.yaml} (54%) diff --git a/vulnerabilities/gcp-gke-hyperthreading.yaml b/vulnerabilities/gcp-2022-011.yaml similarity index 54% rename from vulnerabilities/gcp-gke-hyperthreading.yaml rename to vulnerabilities/gcp-2022-011.yaml index 60aa9db..8ca8060 100644 --- a/vulnerabilities/gcp-gke-hyperthreading.yaml +++ b/vulnerabilities/gcp-2022-011.yaml @@ -1,10 +1,10 @@ -title: Side channel attack against Simultaneous Multi-Threading -slug: gke-hyperthreading +title: GKE Sandbox side channel attack +slug: gcp-2022-011 cves: null affectedPlatforms: - GCP affectedServices: -- Kubernetes Image +- GKE Sandbox image: https://images.pexels.com/photos/5371573/pexels-photo-5371573.jpeg?auto=compress&cs=tinysrgb&w=1260&h=750&dpr=2 severity: Medium discoveredBy: @@ -13,19 +13,18 @@ discoveredBy: domain: null twitter: null disclosedAt: null -publishedAt: 2023/06/02 +publishedAt: 2022/03/22 exploitabilityPeriod: null knownITWExploitation: null summary: | - There is a misconfiguration with Simultaneous Multi-Threading (SMT), - also known as Hyper-threading, on GKE Sandbox images. The - misconfiguration leaves nodes potentially exposed to side channel - attacks such as Microarchitectural Data Sampling (MDS) - (for more context, see GKE Sandbox documentation). + There was a misconfiguration with Simultaneous Multi-Threading (SMT), + also known as Hyper-threading, in GKE Sandbox images, causing nodes + to be potentially exposed to side channel attacks such as + Microarchitectural Data Sampling (MDS). manualRemediation: | - None required + Upgrade nodes to versions 1.22.6-gke.1500 and later or 1.23.3-gke.1100 and later. detectionMethods: null contributor: https://github.com/ramimac references: - https://cloud.google.com/support/bulletins#gcp-2022-011 -- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-011 \ No newline at end of file +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-011