A critical vulnerability in Google’s Cloud SQL database service could have led to unauthorized access to sensitive data and other cloud services. The flaw came to light when Dig Security researchers revealed that bad actors could exploit the security gap in the CloudSQL service of GCP, the Google Cloud Platform. The flaw was so serious that it enabled unauthorized access to various database engines including MySQL, PostgreSQL, and SQL Server. Dig Security’s Ofrir Balassiano and Ofrir Shaty explained that exploiting the vulnerability allowed them to elevate privileges and assign a user to the highly privileged DbRootRole role in GCP.
Google quickly remedied the issue in April after being notified by Dig Security, who was then awarded a bug bounty for finding the vulnerability. The security experts discovered a misconfiguration in the roles-permissions architecture, which allowed them to escalate privileges. They obtained a system administrator role, granting them complete control over the SQL Server and enabling access to the underlying operating system. The vulnerability made it possible for them to retrieve sensitive files, view privileged paths, and extract passwords. They could even access secrets from the host operating system and potentially escalate to other environments through the underlying service agents.
In addition, the researchers found another flaw within the permission structure, allowing them to elevate privileges and grant their users the coveted ‘sysadmin’ role. Unauthorized access to internal data such as secrets, URLs, and passwords poses a considerable security threat, as demonstrated by their ability to obtain sensitive information from Google’s docker image repository before the issue was resolved and non-internal IP access was restricted.
The complete research timelines show that the GCP CloudSQL vulnerability was discovered by Dig’s research team on 5 February 2023, and the Google vulnerability reward program contacted the team on 13 February 2023. During April 2023, the vulnerability was successfully addressed and resolved, and the experts were rewarded by the GCP VRP program on 25 April 2023.
Deploying a Data Security and Privacy Management (DSPM) solution can safeguard organizations from vulnerabilities by identifying and protecting their most sensitive data through encryption, containing potential breaches, and minimizing exposure. Organizations must remain vigilant in identifying and addressing vulnerabilities to ensure the safety and security of their data and services. While Google acted rapidly to fix the flaws, their timely discovery by Dig Security highlights the importance of collaborating with security researchers to enhance security and prevent security breaches.