From 6b8cb0ba99a8182b70f467d4469c5d558faaea55 Mon Sep 17 00:00:00 2001 From: Rami McCarthy Date: Thu, 2 Nov 2023 07:52:00 -0400 Subject: [PATCH] Closes #245: Add GCP Bulletins (#246) * Closes #245: Add GCP Bulletins * Update and rename gcp-dropped-cloudarmor-policy.yaml to gcp-2021-019.yaml * Update and rename gcp-anthos-predictable-seed.yaml to gcp-2021-022.yaml * Update and rename gcp-cloudsql-tempdb-privesc.yaml to gcp-2023-007.yaml * Update and rename gcp-gke-autopilot-privesc.yaml to gcp-2022-009.yaml * Delete vulnerabilities/gcp-2022-009.yaml Duplicate of https://www.cloudvulndb.org/gke-autopilot-allowlist * Update and rename gcp-gke-hyperthreading.yaml to gcp-2022-011.yaml --------- Co-authored-by: Amitai Cohen <71866656+korniko98@users.noreply.github.com> --- vulnerabilities/gcp-2021-019.yaml | 30 ++++++++++++++++++++++++++++++ vulnerabilities/gcp-2021-022.yaml | 30 ++++++++++++++++++++++++++++++ vulnerabilities/gcp-2022-011.yaml | 30 ++++++++++++++++++++++++++++++ vulnerabilities/gcp-2023-007.yaml | 31 +++++++++++++++++++++++++++++++ 4 files changed, 121 insertions(+) create mode 100644 vulnerabilities/gcp-2021-019.yaml create mode 100644 vulnerabilities/gcp-2021-022.yaml create mode 100644 vulnerabilities/gcp-2022-011.yaml create mode 100644 vulnerabilities/gcp-2023-007.yaml diff --git a/vulnerabilities/gcp-2021-019.yaml b/vulnerabilities/gcp-2021-019.yaml new file mode 100644 index 0000000..e6ceb5c --- /dev/null +++ b/vulnerabilities/gcp-2021-019.yaml @@ -0,0 +1,30 @@ +title: Dropped active Google Cloud Armor security policy +slug: gcp-2021-019 +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Cloud Armor +image: https://images.unsplash.com/photo-1607217237228-a8b69908bad6?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3270&q=80 +severity: Low +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2021/09/29 +exploitabilityPeriod: null +knownITWExploitation: null +summary: | + There is a known issue where updating a BackendConfig resource + using the v1beta1 API removes an active Google Cloud Armor + security policy from its service. If you do not configure Google Cloud Armor + on your Ingress resources via the BackendConfig, then this issue does not affect your clusters. +manualRemediation: | + Dropped Cloud Armor security policies must be manually reattached. +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#gcp-2021-019 +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2021-019 diff --git a/vulnerabilities/gcp-2021-022.yaml b/vulnerabilities/gcp-2021-022.yaml new file mode 100644 index 0000000..dcf5fa9 --- /dev/null +++ b/vulnerabilities/gcp-2021-022.yaml @@ -0,0 +1,30 @@ +title: Predictible seed in Anthos Identity Service LDAP module +slug: gcp-2021-022 +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Anthos +image: https://images.unsplash.com/photo-1458014854819-1a40aa70211c?auto=format&fit=crop&q=80&w=2070&ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D +severity: Low +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2021/09/22 +exploitabilityPeriod: Ongoing +knownITWExploitation: null +summary: | + A vulnerability was discovered in the Anthos Identity Service (AIS) LDAP module + of Anthos clusters on VMware versions 1.8 and 1.8.1 where a seed key used in generating + keys is predictable. With this vulnerability, an authenticated user could add arbitrary + claims and escalate privileges indefinitely. +manualRemediation: | + Upgrade your clusters to version 1.8.2. +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#gcp-2021-022 +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2021-022 diff --git a/vulnerabilities/gcp-2022-011.yaml b/vulnerabilities/gcp-2022-011.yaml new file mode 100644 index 0000000..8ca8060 --- /dev/null +++ b/vulnerabilities/gcp-2022-011.yaml @@ -0,0 +1,30 @@ +title: GKE Sandbox side channel attack +slug: gcp-2022-011 +cves: null +affectedPlatforms: +- GCP +affectedServices: +- GKE Sandbox +image: https://images.pexels.com/photos/5371573/pexels-photo-5371573.jpeg?auto=compress&cs=tinysrgb&w=1260&h=750&dpr=2 +severity: Medium +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2022/03/22 +exploitabilityPeriod: null +knownITWExploitation: null +summary: | + There was a misconfiguration with Simultaneous Multi-Threading (SMT), + also known as Hyper-threading, in GKE Sandbox images, causing nodes + to be potentially exposed to side channel attacks such as + Microarchitectural Data Sampling (MDS). +manualRemediation: | + Upgrade nodes to versions 1.22.6-gke.1500 and later or 1.23.3-gke.1100 and later. +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#gcp-2022-011 +- https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2022-011 diff --git a/vulnerabilities/gcp-2023-007.yaml b/vulnerabilities/gcp-2023-007.yaml new file mode 100644 index 0000000..3a28942 --- /dev/null +++ b/vulnerabilities/gcp-2023-007.yaml @@ -0,0 +1,31 @@ +title: Privilege escalation in GCP Cloud SQL +slug: gcp-2023-007 +cves: null +affectedPlatforms: +- GCP +affectedServices: +- Cloud SQL +image: https://images.unsplash.com/photo-1544383835-bda2bc66a55d?auto=format&fit=crop&q=80&w=2036&ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D +severity: Medium +discoveredBy: + name: null + org: null + domain: null + twitter: null +disclosedAt: null +publishedAt: 2023/06/02 +exploitabilityPeriod: null +knownITWExploitation: null +summary: | + A vulnerability was discovered in Cloud SQL for SQL Server + that allowed customer administrator accounts to create triggers + in the tempdb database and use those to gain sysadmin privileges in the instance. + The sysadmin privileges would give the attacker access to system databases + and partial access to the machine running that SQL Server instance. +manualRemediation: | + None required +detectionMethods: null +contributor: https://github.com/ramimac +references: +- https://cloud.google.com/support/bulletins#GCP-2023-007 +- https://cloud.google.com/sql/docs/security-bulletins#gcp-2023-007