services / Google Cloud / Compute Engine forwarding rules

Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing.

Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.


compute.​globalForwardingRules.​setTargets

Can be used to escalate access when an attacker can reach the loadbalancer source endpoint.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​using-​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​protocol-​forwarding
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​access-​control
  • https:​/​/​cloud.​google.​com/​service-​directory/​docs/​configuring-​netlb-​in-​sd
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​vpc/​docs/​private-​service-​connect
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog