This article is more than 1 year old
You better watch out, you better not cry. Better not pout, I'm telling you why: SQLite vuln fixes are coming to town
May your days be merry and bright, and may you all go patch your SQLite
Google and other software developers have patched the SQLite component of their code after it was discovered it could be potentially exploited to inject malware into vulnerable systems.
The security flaw was spotted and reported by researchers at Tencent's Blade Team, and is believed to be present in the SQLite library used by Google's browser engine as well as other apps.
For Google, at least, the library backs Chrome's WebSQL database API, which is why it's being treated as a remote-code execution flaw. Fortunately, users can shield themselves from attacks by updating to the latest version of Chrome (stable version 71.0.3578.80).
For other applications, their developers should update their products to use SQLite 3.26.0 or newer, and then push out new builds to their users to install. In other words, if you're using a program that includes a vulnerable instance of SQLite, wait for a security update to show up. If you're a programmer who is using SQLite as a database built into your code, then update, and roll that update out.
There's always a codename
Known as Magellan for marketing purposes, the Tencent-reported bug has no CVE entry as of yet, and essentially involves corrupting memory to gain arbitrary code execution. In order to do this, an attacker would have to be able to inject malicious SQL commands that then trigger memory corruption, leading to execution of code included in the injection. In the case of WebSQL API, though, webpages are allowed to run SQL queries on a database stored within the browser.
As SQLite creator D. Richard Hipp noted, an application would have to either accept arbitrary SQL commands from users, or suffer from an SQL injection flaw, for this memory handling bug to be exploitation. Generally, programs don't allow users to write their own SQL commands, and they shouldn't have SQL injection holes, in the first place.
Thus, this bug turns what would already be a bad situation – miscreants able to run their own dodgy arbitrary SQL commands within an application – into a worse situation: arbitrary malicious code execution. We also understand the bug involves an SQL UPDATE command, so using SQLite in read-only mode, or with other settings switched on, thwarts exploitation.
Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk.
— D. Richard Hipp (@DRichardHipp) December 15, 2018
Blade Team says it is deliberately holding off on dishing detailed info about the flaw until more vendors can get their patches out. Team member Wenxiang Qian is being credited for the discovery. What is very interesting is that SQLite was considered a gold standard in terms of secure coding: it has been studied and audited at length, and thought to be safe and relatively bug free.
SQLite creator crucified after code of conduct warns devs to love God, and not kill, commit adultery, steal, curse...
READ MORE"As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence," the Tencent researchers say in their brief disclosure earlier this month.
"After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability."
What we do know is that the bug can be exploited much like other browser and scripting engine flaws: a specially crafted webpage or email could be viewed in a vulnerable application, which would trigger the smuggled in exploit and attack code. From there, the attacker would have the ability to execute and install spyware and ransomware on the victim's machine.
The flaw could also be exploited to pull data stored in memory or simply crash the application, in theory.
While potentially serious, these sort of bugs are hardly uncommon. For some perspective, Microsoft patched 16 such remote code execution flaws in IE, Edge, and Office less than a week ago.
In its own tests, Blade Team says it has been able to use its exploit to successfully pwn a Google Home box (Home is based on Chromium). Thus far, there have been no reports of the bug being targeted in the wild. ®