{"id":28,"date":"2023-03-20T00:52:48","date_gmt":"2023-03-20T00:52:48","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=28"},"modified":"2023-03-20T00:52:48","modified_gmt":"2023-03-20T00:52:48","slug":"insecure-bootstrap-process-in-googles-cloud-sql-proxy","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=28","title":{"rendered":"Insecure Bootstrap Process in Google\u2019s Cloud SQL Proxy"},"content":{"rendered":"<h2 class=\"wp-block-heading\">Summary<\/h2>\n<p>The bootstrap process for Google\u2019s cloud SQL Proxy CLI uses the \u201ccurl | bash\u201d pattern and didn\u2019t document a way to verify authenticity of the downloaded binaries. The vendor updated documentation with information on how to use checksums to verify the downloaded binaries.<\/p>\n<h2 class=\"wp-block-heading\">Vulnerability Details<\/h2>\n<p><a href=\"https:\/\/wwws.nightwatchcybersecurity.com\/2021\/07\/12\/speaking-appsec_village-defcon-29\/\">As part of our ongoing research into supply chain attacks<\/a>, we have been analyzing bash installer scripts using the \u201ccurl | bash\u201d pattern. <a href=\"https:\/\/github.com\/GoogleCloudPlatform\/cloud-sql-proxy#installation\">Google provides such script<\/a> used to install the Cloud SQL proxy. However, the documentation doesn\u2019t indicate how to verify downloaded files prior to execution. <\/p>\n<h2 class=\"wp-block-heading\">Vendor Response<\/h2>\n<p>The vendor <a href=\"https:\/\/github.com\/GoogleCloudPlatform\/cloud-sql-proxy\/pull\/1676\/files\">updated their documentation<\/a> with information on how to verify downloaded binaries via checksums.<\/p>\n<h2 class=\"wp-block-heading\">References<\/h2>\n<p>Vendor issue tracker # 244384166<\/p>\n<h2 class=\"wp-block-heading\">Timeline<\/h2>\n<p>2022-08-30: Initial report to the vendor<br \/>2022-08-30: Vendor acknowledged the report<br \/>2022-09-27: Vendor rejected the report as a security issue<br \/>2023-03-03: Vendor reported that a fix has been implemented<br \/>2023-03-19: Public disclosure<\/p>","protected":false},"excerpt":{"rendered":"<p>Summary The bootstrap process for Google\u2019s cloud SQL Proxy CLI uses the \u201ccurl | bash\u201d pattern and didn\u2019t document a way to verify authenticity of the downloaded binaries. The vendor updated documentation with information on how to use checksums to verify the downloaded binaries. Vulnerability Details As part of our ongoing research into supply chain [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-28","post","type-post","status-publish","format-standard","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/28"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/28\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}