A now-patched misconfiguration in Google Cloud Platform’s database service opened the possibility that an attacker could escalate their privilege to compromise other services.
Researchers at Dig Security found that the combination of a gap in GCP’s security layer for SQL Server, and a misconfiguration in the roles permission architecture, created a path by which they were able to create a user, and grant them sysadmin privileges.
The first allowed the researchers to create a user they could add to the GCP admin role “DbRootRole”.
“With the role `DbRootRole` we were able to do many things that we didn’t have permission to do before," the researchers wrote in a blog post describing the bug.
"Still, the `DbRootRole` is not a sysadmin role and doesn’t have full permissions on the SQL Server instance.”
Exploiting the second misconfiguration gave them “complete control on the database engine”, with the result that “our user was granted access to the operating system hosting the database."
"At this point we could access sensitive files in the host OS, list files and sensitive paths, read passwords, and extract secrets from the machine.”
Moreover, the post stated, “the host has access to the underlying service agents which could potentially lead to further escalation to other environments.”
Access to internal data such as secrets, URLs and passwords represented “a major security incident”, Dig Security said.
They also found that the breach gave them access to a Google internal Docker repository, which Google later blocked from external network access.
Dig Security first found the bug in early February, and Google Cloud identified the researchers’ activity and contacted them later that month.
Dig said Google Cloud fixed the bugs in April and awarded them a bug bounty.
