CVE-2020-8903

Name of the Vulnerable Software and Affected Versions Google Cloud Platform's guest-oslogin versions 20190304 through 20200507

Description A vulnerability in Google Cloud Platform's guest-oslogin allows a user with the role "roles/compute.osLogin" to escalate privileges to root. This is achieved by using their membership to the "adm" group to read the DHCP XID from the systemd journal, then setting the IP address and hostname of the instance to any value, which is stored in /etc/hosts. An attacker can then impersonate the GCE metadata server by pointing metadata.google.internal to an arbitrary IP address, making it possible to instruct the OS Login PAM module to grant administrative privileges.

Recommendations For versions 20190304 through 20200507, edit /etc/group/security.conf and remove the "adm" user from the OS Login entry if an update is not possible. For all affected versions, update to an image created after 2020-May-07 (20200507) to resolve the issue.