Dig, the cloud data security leader, today released new threat research highlighting the discovery of a critical vulnerability in the Google Cloud Platform (GCP) CloudSQL service. The vulnerability could have enabled a malicious actor to escalate from a basic CloudSQL user to a full-fledged sysadmin on a container, gaining access to internal GCP data like secrets, sensitive files, passwords, in addition to customer data.
Dig’s research team identified the vulnerability through a gap in GCP’s security layer. This vulnerability enabled them to escalate initial privilege and add a user to the DbRootRole role, a GCP admin role. Another critical misconfiguration in the roles permissions architecture enabled Dig’s researchers to further escalate their privilege, eventually granting their user the sysadmin role. They bypassed the barrier and got full control on the SQL Server.
Assuming complete control on the database engine, Dig’s researchers gained access to the operating system hosting the database. At this point they could access sensitive files in the host OS, list files and sensitive paths, read passwords and extract secrets from the machine.
While the Dig research team got access to the operating system, they managed to find some of Google’s internal URLs related to the docker image repository. They were able to access the internal repo (which has since been fixed, and access is blocked from non internal IPs).
Upon discovering the vulnerabilities, Dig’s research team followed coordinated disclosure practices with Google, and all issues were remediated swiftly.
“Cloud data assets are the main target of today’s cyberattacks,” said Dan Benjamin, Co-Founder and CEO, Dig Security. “Data is the lifeblood of the modern enterprise, and GCP is one of the top public cloud providers. We chose to focus this threat research on CloudSQL because of its potential impact on customer data. We were proud to work closely with the Google team to patch the new security vulnerability swiftly and effectively.”