CVE-2020-8907

EUVD-2020-29746
A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "docker" group, an attacker with this role is able to run docker and mount the host OS. Within docker, it is possible to modify the host OS filesystem and modify /etc/groups to gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "docker" user from the OS Login entry.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Affected Products (NVD)
VendorProductVersion
googleguest-oslogin
20190304.00 ≤
𝑥
≤ 20200507.00
opensuseleap
15.1
opensuseleap
15.2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gce-compute-image-packages
bionic
Fixed 20190801-0ubuntu1~18.04.1
released
eoan
Fixed 20190801-0ubuntu1.1
released
focal
Fixed 20190801-0ubuntu4.1
released
groovy
Fixed 20190801-0ubuntu5
released
hirsute
Fixed 20190801-0ubuntu5
released
impish
Fixed 20190801-0ubuntu5
released
jammy
Fixed 20190801-0ubuntu5
released
kinetic
Fixed 20190801-0ubuntu5
released
lunar
Fixed 20190801-0ubuntu5
released
mantic
Fixed 20190801-0ubuntu5
released
noble
Fixed 20190801-0ubuntu5
released
trusty
needed
xenial
Fixed 20190801-0ubuntu1~16.04.1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00047.html
https://cloud.google.com/support/bulletins/#gcp-2020-008
https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00047.html
https://cloud.google.com/support/bulletins/#gcp-2020-008
https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020