catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine forwarding rules

Manage layer 4 port forwarding rules within a Google Cloud load balancer.

Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.

compute.​forwardingRules.​update

Can not be used to change targets. Can be used to escalate access when the rule already directs traffic to a target system and the attacker has access to a particular source endpoint.

Risks

  1. Network destruction (HIGH)
  2. Lateral movement (BOOST)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​using-​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​protocol-​forwarding
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​access-​control
  • https:​/​/​cloud.​google.​com/​service-​directory/​docs/​configuring-​netlb-​in-​sd
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​vpc/​docs/​private-​service-​connect

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog