A critical vulnerability that allowed attackers to escalate privileges and access sensitive data and secrets on Google Cloud Platform’s (GCP) database service, CloudSQL, has been fixed. Researchers at Dig Security discovered the flaw, which they said could have allowed hackers to breach other cloud services, potentially including customer environments. The vulnerability was identified through a security gap around the CloudSQL service and was exploited to add a user to the DbRootRole role on GCP, an admin position. The role then escalated privilege to eventually grant system administrator access to the SQL Server, allowing access to the operating system. Google patched the flaw in April.
The vulnerability was identified in February, and the researchers followed coordinated disclosure practices using Google’s vulnerability award program to inform the company. Under the program, Google and the researchers worked together to resolve the issues, with Google rewarding Dig through its bug bounty program on April 25.
Experts warned that cloud misconfigurations are still common reasons for vulnerabilities in cloud security, and organizations should consider applying data security controls regardless of what their cloud providers offer. This applies even if the provider’s environment has a flaw, according to Ofrir Balassiano, co-founder and head of research at Dig Security.
“To avoid potential exploit of a flaw like the one the team found, organizations can benefit from deploying a DSPM solution that locates their most sensitive data and ensures it is protected,” said Balassiano, adding that deploying data detection and response solutions can also help organizations get ahead of potential breaches.
Separately, Dig Security has also released research indicating a misconfiguration in the Zyxel network-attached storage (NAS) device allowed attackers to gain access to its administration web interface and exposed a private hijackable token. The issue is said to have been patched by Zyxel in December 2019.