A recent security report states that it is possible to hijack sessions on Google Compute Engine virtual machines to gain root access through a DHCP attack. While deploying this attack is impractical, an exploit attempt can be highly functional.
The report, published on GitHub, mentions that a threat actor could allow threat actors to take control of virtual machines because these deployments rely on ISC DHCP software, which employs a very weak random number generator. A successful attack clutters these virtual machines with DHCP traffic, forcing the use of a fake metadata server controlled by an attacker.
If the attack is successful, the virtual machine uses the unauthorized server for its configuration instead of an official Google one, which would allow cybercriminals to log in to the affected device with root access.
The DHCP client’s ISC implementation relies on three things to generate a random identifier: the UNIX time at which the process starts; the PID of the dhclient process; and the sum of the last four bytes of ethernet (MAC) addresses of the machine’s network interface cards. The customer uses this random number, XID, to track their communications with Google’s DHCP servers.
The main goal is to infest the virtual machine with a flow of DHCP packets, with a better assumption for the XID, until dhclient accepts them through the legitimate packets from Google’s DHCP server. By then, the network stack on the victim’s virtual machine can be configured to use the fake metadata server by aliasing the host names of the Google server.
Two of these XID elements are predictable. The last four bytes of the MAC address are the same as the internal IP address of the box, and the Linux kernel assigns the PID linearly. To deploy this attack, hackers need to create multiple DHCP packets using a set of precomputed XIDs and flood the victim’s dhclient directly.
The insufficient randomization mechanism makes it easier for attackers to craft the correct XID in an avalanche of DHCP packets. By doing this, threat actors will be able to reconfigure the target’s network stack at will.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.