GCP SQL Server suspicious configuration
Description
AlphaSOC detected configuration of a GCP Cloud SQL SQL Server instance with
database flags that weaken security via cloudsql.instances.update. This
includes enabling contained database authentication,
cross db ownership chaining, external scripts enabled, or remote access.
Additionally, disabling trace flag 3625 (which obfuscates sensitive error
information) is flagged.
These configurations can enable privilege escalation, cross-database attacks, arbitrary code execution, or exposure of sensitive error information to non-administrative users.
Impact
Enabling these dangerous SQL Server flags can allow attackers to escalate privileges, execute arbitrary code, access data across database boundaries, or obtain sensitive system information from error messages.
Severity
| Severity | Condition |
|---|---|
Low | Suspicious database flag configuration |
Investigation and Remediation
Review GCP audit logs for the cloudsql.instances.update action and examine the
databaseFlags configuration. Identify which security-weakening flags were
enabled and the principal responsible.
If unauthorized, disable the suspicious database flags immediately. Contained database authentication, cross-database ownership chaining, external scripts, and remote access should typically be disabled in production environments. Investigate the compromised identity and review database activity logs for signs of exploitation.