Google Compute Engine

Connect Serial Ports Enabled

Ensure connecting to serial ports is not enabled for VM instances.

Risk Level: Medium

Description

This plugin ensures that connecting to serial ports is not enabled for VM instances. The connect to serial ports feature allows users to connect to the VM instance’s virtual serial port and interact with it. This functionality, however, does not allow for the restriction of IP addresses.

About the Service

Google Cloud Compute Engine:

Google Cloud Compute Engine is a service that allows you to create Virtual Machines based on your preferences and run them on Google’s infrastructure. You can either use their predefined machines with certain default configurations or create your own custom Virtual Machine to meet your exact requirements. To know more, read here

Impact

Since the serial console does not allow restricting IP addresses, it results in allowing any IP address to connect to an instance. Therefore, if connecting to the serial ports feature is enabled, anyone with the relevant information, such as the instance name, project ID, zone, and so on, can connect to the instance from any IP address. Because attackers could gain access to the instances, this could constitute a threat to your Google Cloud project.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can click this link here to navigate directly if you’re already logged in.
  4. Select the VM instance you want to investigate from the list of instances and go to the Details tab to examine the details of the VM instance selected.
  5. Under the Remote access section, check if Enable connecting to serial ports checkbox is checked. If this is the case, the selected VM instance is set up to allow connecting to serial ports, which is unsafe and should be disabled.
  6. Repeat steps 4 and 5 for all the VM instances you want to investigate in the selected project.
  7. If you have multiple projects that you want to investigate, repeat steps 2-6 for each project in your GCP console.

Steps for Remediation

Determine whether or not you truly require connecting to serial ports to be enabled. If not, make the necessary changes to disable connecting to serial ports of your VM instances.

The steps to disable this feature are-
Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can click this link here  to navigate directly if you’re already logged in.
  4. From the list of instances, choose the VM instance you want to reconfigure. (In case you aren’t sure which instance needs to be configured, follow the steps to reproduce listed above to determine which instance to choose.)
  5. Select the Edit option from the top navigation bar of the VM instance details page.
  6. Under the Remote access section, uncheck the Enable connecting to serial ports checkbox to disable the selected VM instance from connecting to serial ports.
  7. Click save to save the changes.
  8. Repeat steps 4 to 7 for all the VM instances you want to reconfigure in the selected project.
  9. If you have multiple projects, repeat steps 2 to 8 for each project in your GCP console.