Summary
A vulnerability discovered in GCP's Cloud SQL service allowed customer
administrator accounts to create triggers in the tempdb database and use
those to gain sysadmin privileges in the instance. This could be abused
to result in complete control of the database engine and access to the
host OS. An attacker could have listed and accessed files in the host OS,
including any secrets on the machine, as well as gaining access to service
agents. However, it is unclear from the report if this level of access could
have allowed lateral movement within the Cloud SQL service or grant cross-tenant
access to other customers' data. The reporters did not disclose any lateral movement
and Google stated in their security bulletin that it was not possible.
Affected Services
Cloud SQL
Remediation
None required
Tracked CVEs
No tracked CVEs
References
https://www.dig.security/post/gcp-cloudsql-vulnerability-leads-to-internal-container-access-and-data-exposurehttps://cloud.google.com/sql/docs/security-bulletins#gcp-2023-007
Contributed by https://github.com/jacks-reid
Disclosure Date
Mon, Feb 13th, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Dig
