Extreme Flaw in Google Cloud’s Cloud SQL Service Uncovered Confidential Knowledge

[ad_1]

Could 26, 2023Ravie LakshmananKnowledge Security / Cloud Safety

Google Cloud's Cloud SQL Service

A brand new safety flaw has been disclosed within the Google Cloud Platform’s (GCP) Cloud SQL service that may very well be probably exploited to acquire entry to confidential knowledge.

“The vulnerability may have enabled a malicious actor to escalate from a fundamental Cloud SQL consumer to a full-fledged sysadmin on a container, having access to inner GCP knowledge like secrets and techniques, delicate recordsdata, passwords, along with buyer knowledge,” Israeli cloud safety agency Dig mentioned.

Cloud SQL is a fully-managed answer to construct MySQL, PostgreSQL, and SQL Server databases for cloud-based functions.

The multi-stage assault chain recognized by Dig, in a nutshell, leveraged a spot within the cloud platform’s safety layer related to SQL Server to escalate the privileges of a consumer to that of an administrator position.

The elevated permissions subsequently made it attainable to abuse one other vital misconfiguration to acquire system administrator rights and take full management of the database server.

Cloud SQL

From there, a risk actor may entry all recordsdata hosted on the underlying working system, enumerate recordsdata, and extract passwords, which may then act as a launchpad for additional assaults.

“Having access to inner knowledge like secrets and techniques, URLs, and passwords can result in publicity of cloud suppliers’ knowledge and prospects’ delicate knowledge which is a significant safety incident,” Dig researchers Ofir Balassiano and Ofir Shaty mentioned.

UPCOMING WEBINAR

Zero Belief + Deception: Study How you can Outsmart Attackers!

Uncover how Deception can detect superior threats, cease lateral motion, and improve your Zero Belief technique. Be part of our insightful webinar!

Save My Seat!

Following accountable disclosure in February 2023, the difficulty was addressed by Google in April 2023.

The disclosure comes as Google introduced the provision of its Computerized Certificates Administration Atmosphere (ACME) API for all Google Cloud customers to routinely purchase and renew TLS certificates without spending a dime.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.



[ad_2]

Leave a Comment

Your email address will not be published. Required fields are marked *