CVE-2020-8933 : Security Advisory and Response

A vulnerability in Google Cloud Platform's guest-oslogin allows privilege escalation to root, impacting versions between 20190304 and 20200507.

Understanding CVE-2020-8933

This CVE involves a security issue in Google Cloud Platform's guest-oslogin that enables users with limited roles to escalate privileges.

What is CVE-2020-8933?

The vulnerability in guest-oslogin versions between 20190304 and 20200507 permits users with the role "roles/compute.osLogin" to gain root privileges through the "lxd" group membership.

The Impact of CVE-2020-8933

The vulnerability has a CVSS base score of 7.8 (High severity) with a low attack complexity and local attack vector. It poses a high risk to confidentiality, integrity, and availability.

Technical Details of CVE-2020-8933

This section provides detailed technical information about the CVE.

Vulnerability Description

The vulnerability allows users with limited roles to escalate privileges to root by attaching host devices and filesystems within an lxc container.

Affected Systems and Versions

Product: guest-oslogin
Vendor: Google LLC
Versions affected: 20190304 to 20200507

Exploitation Mechanism

Attackers exploit the "lxd" group membership to attach host devices and modify /etc/sudoers within an lxc container, gaining administrative privileges.

Mitigation and Prevention

Protect your systems from CVE-2020-8933 with these mitigation strategies.

Immediate Steps to Take

Update to fixed images created after 2020-May-07.
If unable to update, remove the "lxd" user from the OS Login entry in /etc/group/security.conf.

Long-Term Security Practices

Regularly review and update access control policies.
Monitor and restrict user privileges to prevent unauthorized escalation.

Patching and Updates

Apply security patches promptly to address vulnerabilities and enhance system security.