CVE-2024-9858
📋 TL;DR
Google Cloud Migrate to containers versions 1.1.0 to 1.2.2 on Windows create a local 'm2cuser' account with administrator privileges by default. If the migration process is interrupted or skips cleanup, this account persists, allowing local privilege escalation. Only Windows installations running affected versions are impacted.
💻 Affected Systems
- Google Cloud Migrate to containers
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could use the persistent 'm2cuser' account to gain full administrator control over the Windows system, potentially installing malware, stealing data, or pivoting to other systems.
Likely Case
During normal interrupted operations, the account remains active, allowing any local user or malware to escalate privileges to administrator level on that specific machine.
If Mitigated
With proper cleanup procedures and monitoring, the account would be automatically removed after successful operations, leaving no persistent vulnerability.
🎯 Exploit Status
Exploitation requires local access to the Windows machine. An attacker would simply need to authenticate as 'm2cuser' or use it for privilege escalation if they have another local account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.3 or later
Vendor Advisory: https://cloud.google.com/migrate/containers/docs/m2c-cli-relnotes#october_8_2024
Restart Required: No
Instructions:
1. Download Google Cloud Migrate to containers version 1.2.3 or later from official Google Cloud sources. 2. Uninstall the current vulnerable version. 3. Install the patched version. 4. Verify the 'm2cuser' account does not exist or has limited privileges.
🔧 Temporary Workarounds
Manual user account cleanup
windowsManually remove the 'm2cuser' account from Windows systems after each migration operation
net user m2cuser /delete
Restrict m2cuser privileges
windowsIf the account must persist, remove administrator privileges
net localgroup administrators m2cuser /delete
🧯 If You Can't Patch
- Monitor for existence of 'm2cuser' account using automated scripts and alert on detection
- Implement strict access controls to prevent unauthorized local access to affected Windows machines
🔍 How to Verify
Check if Vulnerable:
Check if 'm2cuser' account exists with administrator privileges: 'net user m2cuser' and 'net localgroup administrators'Check Version:
m2c --versionVerify Fix Applied:
Verify 'm2cuser' account does not exist or is not in administrators group after patching📡 Detection & Monitoring
Log Indicators:
- Windows Security event logs showing authentication attempts as 'm2cuser'
- Account creation/modification events for 'm2cuser'
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
EventID=4720 OR EventID=4722 OR EventID=4624 AND TargetUserName='m2cuser'