Threat Watch

Unpatched Virtual Machine Takeover Bug Affects Google Compute Engine

An unpatched security vulnerability affecting Google’s Compute Engine platform could be abused by an attacker to take over virtual machines remotely if the machine uses DHCP. “This is done by impersonating the metadata server from the targeted virtual machine’s point of view,” security researcher Imre Rad said in an analysis published Friday. “By mounting this exploit, the attacker can grant access to themselves over SSH (public key authentication) so then they can login as the root user.” According to the researcher, the issue is a consequence of weak pseudo-random numbers used by the ISC DHCP client, resulting in a scenario wherein an adversary crafts multiple DHCP packets using a set of precalculated transaction identifiers (aka XIDs) and floods the victim’s DHCP client, ultimately leading to the impersonation of the metadata server.


Google was informed about the issue on Sept 27, 2020 but has yet to roll out a patch or provide a timeline for when the correction will be made available. If you use Google’s Compute Engine platform, the best precautions to take until a fix arrives is to not use DHCP or setup a host level firewall rule to ensure the DHCP communication comes from the legitimate metadata server. You can also block UDP/68 between VMs, so that only the metadata server can carry out DHCP.