02-16-2021 , 10:47 PM
The highest threat to systems running affected versions of SQLite, a C-language library that implements an SQL database engine, is to system availability, according to a Red Hat Bugzilla thread.
However, the flaw is only marked as medium severity because exploitation depends on attackers already having “access to query the data in the database”, noted Todd Cullum, senior product security engineer at Red Hat, an open source software vendor.
Richard Hipp, who launched the SQLite project in 2000 and remains its architect, didn’t think the vulnerability posed a serious threat.
If an SQL injection bug exists on a target system then it might be possible – dependent on other protections in place – to cause SQLite to read a previously freed data structure and potentially cause a crash, he told The Daily Swig. “More likely, it will just cause SQLite to return a goofy answer.”
As a read – rather than write – after free bug, “there are no known paths to an RCE”, he added. “So really, this problem allows an attacker to escalate an SQL injection vulnerability in the application into a denial of service.”
But in that case, “the attacker already has a more trivial denial of service by simply sending in a (well-formed) SQL statement that runs forever. So it isn’t clear that this bug gives an attacker any new capabilities.”
Vast attack surface
If the impact of the vulnerability is described as moderate, then surely few other applications present such an enormous attack surface.
Open source SQLite “is likely used more than all other database engines combined”, claims the SQLite website, which estimates the number of active SQLite databases at more than one trillion.
The relational database management system is built into all 3.5 billion active smartphones, as well as all Apple Macs and Windows 10 machines; Firefox, Chrome, and Safari web browsers; Skype, iTunes, and Dropbox; and most smart TVs, among many more applications.
Inti De Ceukelaire, head of hackers at bug bounty platform Intigriti, told The Daily Swig that the bug’s moderate severity might instil a false sense of security into some vendors.
“The problem with these kind of medium severity vulnerabilities is that vendors will often not consider fixing it until real-world impact is shown,” he explains. “This is a highly contextual vulnerability that would only work in specific situations.
“Therefore, I do not expect that vendors will make breaking changes in order to mitigate this vulnerability, which could potentially lead to chained attacks of unpatched systems in the future.”
WHERE the flaw was found
Found in SQLite’s SELECT query functionality (src/select.c), the issue arose because of a “problem handling sub-queries with both a correlated WHERE clause and a ‘HAVING 0’ clause where the parent query is itself an aggregate”, according to a vulnerability alert published by Ubuntu, the Linux distribution, on February 5.
The problem was apparently introduced by a code change implemented in June 2020.
Todd Cullum of Red Hat expanded on this analysis: “The WHERE clause (a=2), uses an aggregate column from the outer query.
“If the HAVING term (0) is moved into the WHERE clause in this case, SQLite would at one point optimize (a=2 AND 0) to simply (0). Which is logically correct, but happened to cause problems in aggregate processing for the outer query.”
Source
However, the flaw is only marked as medium severity because exploitation depends on attackers already having “access to query the data in the database”, noted Todd Cullum, senior product security engineer at Red Hat, an open source software vendor.
Richard Hipp, who launched the SQLite project in 2000 and remains its architect, didn’t think the vulnerability posed a serious threat.
If an SQL injection bug exists on a target system then it might be possible – dependent on other protections in place – to cause SQLite to read a previously freed data structure and potentially cause a crash, he told The Daily Swig. “More likely, it will just cause SQLite to return a goofy answer.”
As a read – rather than write – after free bug, “there are no known paths to an RCE”, he added. “So really, this problem allows an attacker to escalate an SQL injection vulnerability in the application into a denial of service.”
But in that case, “the attacker already has a more trivial denial of service by simply sending in a (well-formed) SQL statement that runs forever. So it isn’t clear that this bug gives an attacker any new capabilities.”
Vast attack surface
If the impact of the vulnerability is described as moderate, then surely few other applications present such an enormous attack surface.
Open source SQLite “is likely used more than all other database engines combined”, claims the SQLite website, which estimates the number of active SQLite databases at more than one trillion.
The relational database management system is built into all 3.5 billion active smartphones, as well as all Apple Macs and Windows 10 machines; Firefox, Chrome, and Safari web browsers; Skype, iTunes, and Dropbox; and most smart TVs, among many more applications.
Inti De Ceukelaire, head of hackers at bug bounty platform Intigriti, told The Daily Swig that the bug’s moderate severity might instil a false sense of security into some vendors.
“The problem with these kind of medium severity vulnerabilities is that vendors will often not consider fixing it until real-world impact is shown,” he explains. “This is a highly contextual vulnerability that would only work in specific situations.
“Therefore, I do not expect that vendors will make breaking changes in order to mitigate this vulnerability, which could potentially lead to chained attacks of unpatched systems in the future.”
WHERE the flaw was found
Found in SQLite’s SELECT query functionality (src/select.c), the issue arose because of a “problem handling sub-queries with both a correlated WHERE clause and a ‘HAVING 0’ clause where the parent query is itself an aggregate”, according to a vulnerability alert published by Ubuntu, the Linux distribution, on February 5.
The problem was apparently introduced by a code change implemented in June 2020.
Todd Cullum of Red Hat expanded on this analysis: “The WHERE clause (a=2), uses an aggregate column from the outer query.
“If the HAVING term (0) is moved into the WHERE clause in this case, SQLite would at one point optimize (a=2 AND 0) to simply (0). Which is logically correct, but happened to cause problems in aggregate processing for the outer query.”
Source