0xdabbad00
commented
1 year ago It's unclear what the impact is as the blog post is very sparse on details of how they accomplished this access or what the access actually provided. All the screenshots are redacted and even this one that mentions it is a screenshot of an internal URL, is a publicly documented URL.
They did not prove any cross-tenant access, and I don't think RCE of the server, but did get read access to the server. We've previously assigned Critical to BreakingFormation which similarly was read access to the underlying server, although the read access was shown to be spicier, including having internal AWS creds: https://www.cloudvulndb.org/breakingformation
As a general rule for the predecessor of this project, I've historically trusted researchers, such that when they say they got some sort of access I lean toward believing them, as was the case with https://github.com/SummitRoute/csp_security_mistakes#aws-aws-employee-posts-confidential-aws-data-including-possibly-customer-access-keys-and-other-customer-information (which oddly is missing a severity in this repo: https://www.cloudvulndb.org/aws-data-post ).
So even though the evidence is redacted and nearly all details of how the attack was performed are missing, we should lean toward believing that read access to the underlying host was obtained, but no cross-tenant access was proven. I'm leaning toward this being a severity of High, as the underlying host access was not shown to be impactful.
Summary (give a brief description of the issue)
Dig Security discovered a vulnerability in GCP's CloudSQL service that eventually resulted in complete control of the database engine and access to the host OS.
References (provide links to blogposts, etc.)
https://www.dig.security/post/gcp-cloudsql-vulnerability-leads-to-internal-container-access-and-data-exposure