Synopsis
Tenable Research has identified and responsibly disclosed a privilege escalation vulnerability in Google Cloud Monitoring. This flaw allowed a low-privileged attacker to bypass Identity and Access Management (IAM) controls and invoke authenticated Cloud Run services despite lacking permissions.
Cloud Monitoring Uptime Checks can be configured to authenticate against HTTP targets using the Monitoring Service Agent's ID token. The Monitoring Service Agent (service-PROJECT_NUMBER@gcp-sa-monitoring-notification.iam.gserviceaccount.com) is a Google-managed identity that, by default, is granted the run.routes.invoke permission. This permission allows the holder to call authenticated Cloud Run endpoints. By testing an Uptime Check on an authenticated Cloud Run endpoint, an attacker with the extremely limited monitoring.uptimeCheckConfigViewer role could invoke that endpoint with arbitrary parameters using the Service Agent’s identity.
Solution
Google implemented a fix that now prevents Google Cloud Monitoring uptime checks from allowing users to deploy or test the Service Agent authentication feature for arbitrary URLs. Google also added extra permission checks to ensure the Service Agent authorization feature is only available for users with correct permissions. Google fixed the issue and there are no specific actions required from customers at this time, as long as they are following Google Cloud guidelines for Creating Public Uptime Checks ( https://cloud.google.com/monitoring/uptime-checks ).
Proof of Concept
2. Authenticate as a principal with monitoring.uptimeCheckConfigViewer role but without run.routes.invoke permissions
3. Create a new Uptime Check by browsing to https://console.cloud.google.com/monitoring/uptime/create?project=<your_project>
The page should show a permission error for a moment, and then open the creation form
4. Under ‘Protocol’, choose HTTPS
5. Under ‘Hostname’, input the authenticated Cloud Run
6. Change the request options as necessary
7. Change ‘Authentication Method’ to ‘Service Agent Authentication’
8. Go to the ‘Review’ section, and insert any title
9. Click ‘Test’, and the Cloud Run will be invoked
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team