CVE-2020-8933

CVSS v4.0

9.3

Critical

Vector

AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions: Google Cloud OS guest-oslogin versions 20190304 through 20200507

Description: The issue is related to incorrect default permission settings in the guest-oslogin feature of Google Cloud OS. This allows an attacker to escalate privileges to root. By being a member of the lxd group, an attacker can attach host devices and filesystems. Within an lxc container, it is possible to attach the host OS filesystem and modify /etc/sudoers to gain administrative privileges.

Recommendations: For versions 20190304 through 20200507, update to an image created after 2020-May-07. As a temporary workaround for versions that cannot be updated, edit /etc/group/security.conf and remove the lxd user from the OS Login entry.

Exploit

Fix

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

BDU:2020-04069

CVE-2020-8933

OPENSUSE-SU-2020:0996-1

OPENSUSE-SU-2020:1014-1

OPENSUSE-SU-2020_0996-1

OPENSUSE-SU-2020_1014-1

SUSE-SU-2020:1934-1

SUSE-SU-2020:2200-1

Affected Products

Google Cloud

Suse

CVE-2020-8933

Weakness Enumeration

Related Identifiers

Affected Products

References · 26