A new security hole has been disclosed in the Google Cloud Platform (GCP) Cloud SQL service that could potentially be exploited to gain access to confidential data.
“The vulnerability could allow a malicious actor to escalate from a basic Cloud SQL user to a full-fledged sysadmin in a container, gaining access to internal GCP data such as secrets, sensitive files, passwords, in addition to customer data,” Israeli cloud security firm Dig said.
CloudSQL is a fully managed solution for building MySQL, PostgreSQL, and SQL Server databases for cloud-based applications.
In summary, the multi-stage attack chain identified by Dig exploits a loophole in the security layer of cloud platforms associated with SQL Server to elevate a user’s privileges to administrator roles.
The enhanced permissions then make it possible to abuse another critical misconfiguration to gain system administrator privileges and take full control of the database server.
From there, threat actors can access all files hosted on the underlying operating system, enumerate files, and extract passwords, which can then act as a launching pad for further attacks.
“Gaining access to internal data such as secrets, URLs and passwords can lead to the disclosure of cloud provider data and sensitive customer data which is a major security incident,” said Dig researchers Ofir Balassiano and Ofir Shaty.
After a responsible disclosure in February 2023, the issue was addressed by Google in April 2023.
Disclosure comes as Google announced availability of its Automatic Certificate Management Environment (PEAK) API for all Google Cloud users to automatically acquire and renew TLS certificates for free.