Dig, the cloud data security company, has released new threat research highlighting the discovery of a critical vulnerability in the Google Cloud Platform (GCP) CloudSQL service. The vulnerability could have enabled a malicious actor to escalate from a basic CloudSQL user to a full-fledged sysadmin on a container, gaining access to internal GCP data like secrets, sensitive files, passwords, in addition to customer data.
Dig’s research team identified the vulnerability through a gap in GCP’s security layer. This vulnerability enabled them to escalate initial privilege and add a user to the DbRootRole role, a GCP admin role. Another critical misconfiguration in the roles permissions architecture enabled Dig’s researchers to further escalate their privilege, eventually granting their user the sysadmin role. They bypassed the barrier and got full control on the SQL Server.
Assuming complete control on the database engine, Dig’s researchers gained access to the operating system hosting the database. At this point they could access sensitive files in the host OS, list files and sensitive paths, read passwords and extract secrets from the machine. The host also gained access to the underlying https://cloud.google.com/iam/docs/service-agents, which could be further escalated to other environments.
While the Dig research team got access to the operating system, they managed to find some of Google’s internal URLs related to the docker image repository. They were able to access the internal repo (which has since been fixed, and access is blocked from non internal IPs).
Upon discovering the vulnerabilities, Dig’s research team followed coordinated disclosure practices with Google, and all issues were remediated swiftly.