CVE-2020-8907

A vulnerability in Google Cloud Platform's guest-oslogin versions between 20190304 and 20200507 allows a user that is only granted the role "roles/compute.osLogin" to escalate privileges to root. Using their membership to the "docker" group, an attacker with this role is able to run docker and mount the host OS. Within docker, it is possible to modify the host OS filesystem and modify /etc/groups to gain administrative privileges. All images created after 2020-May-07 (20200507) are fixed, and if you cannot update, we recommend you edit /etc/group/security.conf and remove the "docker" user from the OS Login entry.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
GoogleCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
googleguest-oslogin
20190304.00 ≤
𝑥
≤ 20200507.00
opensuseleap
15.1
opensuseleap
15.2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gce-compute-image-packages
noble
Fixed 20190801-0ubuntu5
released
mantic
Fixed 20190801-0ubuntu5
released
lunar
Fixed 20190801-0ubuntu5
released
kinetic
Fixed 20190801-0ubuntu5
released
jammy
Fixed 20190801-0ubuntu5
released
impish
Fixed 20190801-0ubuntu5
released
hirsute
Fixed 20190801-0ubuntu5
released
groovy
Fixed 20190801-0ubuntu5
released
focal
Fixed 20190801-0ubuntu4.1
released
eoan
Fixed 20190801-0ubuntu1.1
released
bionic
Fixed 20190801-0ubuntu1~18.04.1
released
xenial
Fixed 20190801-0ubuntu1~16.04.1
released
trusty
needed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00047.html
https://cloud.google.com/support/bulletins/#gcp-2020-008
https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00047.html
https://cloud.google.com/support/bulletins/#gcp-2020-008
https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020