The impact of this issue announcement is low. Please act accordingly to rectify the issue, as stated below.
OS Config, a Google Cloud Platform service for Compute Engine
What you need to know:
Google recently fixed a privilege escalation vulnerability in a Google Cloud Platform service for Compute Engine that is tasked for operating systems management on virtual machines.
According to the tech giant, the OS Config service API, as well as its agent, allows users to run various operations across VM instances, including patch management, collection of OS information, and deployment and removal of software package updates.
Originally figured out by Security researcher Imre Rad, the OS Config service was apparently still in beta, and the agent process associated with the agent was running, by default, in root.
Though downplayed, and the possibility of exploitation is low, Google thought it was an interesting finding and apparently agreed as they rolled out a patch in the first week of September.
The vulnerability’s technical details are uploaded via Github at https://github.com/irsl/google-osconfig-privesc.
Actions to be taken:
Administrators are urged to review the management best practices for the OS Config agent’s three main features:
- OS inventory management (https://cloud.google.com/compute/docs/instances/os-inventory-management)
- OS patch management (https://cloud.google.com/compute/docs/os-patch-management)
- OS configuration management (https://cloud.google.com/compute/docs/os-config-management)
For installation instructions on OS Config agent on a Compute Engine VM instance, they may check this: https://cloud.google.com/compute/docs/manage-os#agent-install