gcp vulnerabilities cloudsql Publicly accessible CloudSQL instance

Publicly accessible CloudSQL instance

PLATFORM

SERVICE

cloudsql

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

medium

high

About

CloudSQL instances can have a public IP address and be made accessible from the Internet.

Understanding Impact

Business Impact

Publicly accessible CloudSQL instances are vulnerable to automated brute force and exploitation attacks. This increases the likelihood that the database is compromised and used for ransomware, extortion, or leaking sensitive data.

Technical Impact

A CloudSQL instance can either sit inside a private network with a private address or be assigned with a public IP. If it has a public IP and allows connections from 0.0.0.0/0, anyone from the internet can perform brute force, password stuffing, or denial of service on the database.

Identify affected resources

Use the following gcloud CLI commands to identify CloudSQL instances that are publicly accessible from the Internet:

gcloud sql instances list --format="value(name)" |
while read instance; do 
  echo "Checking $instance"; 
  authorizedNetworks=$(gcloud sql instances describe $instance --format="flattened(settings.ipConfiguration.authorizedNetworks[].value)")
  echo "$authorizedNetworks" | grep -q '0.0.0.0/0'
  if [[ $? == 0 ]]; then
    echo "WARNING: $instance is open to the Internet is publicly accessible"
  fi
done

Remediate vulnerable resources

The first step is to restrict network access to the CloudSQL instance. For instance, you can restrict access to a known IP range used by system administrators.

gcloud sql instances patch CLOUD_SQL_INSTANCE_NAME --authorized-networks 1.2.3.0/24

Then, the best practice is to not assign CloudSQL instances public IP addresses. This will make the CloudSQL instance available only in a specific private network. See also Connect to a Cloud SQL for MySQL instance with private IP

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | SQL Database instances should only allow ingress traffic from specific IP addresses".

References

CloudSQL connection options

gcp documentation

Remove an authorized IP range

gcp documentation

Learn about using private IP

gcp documentation

Case Study: Ransomware in the Cloud (page 8)

gcp documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all