Many applications using the popular SQLite database management system could be exposed to attacks due to a potentially serious vulnerability that can lead to remote code execution, information disclosure, and denial-of-service (DoS) attacks.
The vulnerability was discovered by researchers of the Blade Team at China-based internet giant Tencent. The experts have named the flaw “Magellan” and they claim it affects any piece of software that uses SQLite or Chromium – Chromium relies on WebSQL, which is based on SQLite.
SQLite is one of the most popular database systems and it’s present in a significant number of operating systems, web application frameworks, web browsers, and various applications made by tech giants such as Adobe and Microsoft. In addition to Google Chrome, the open source web browser project Chromium powers Opera, Slimjet Browser, SRWare Iron, Torch, Comodo Dragon, CoolNovo, Yandex Browser, and Vivaldi.
According to Tencent Blade researchers, the vulnerability can be exploited remotely by getting the targeted user to access a specially crafted web page. Tencent Blade says it’s not releasing any details or exploit code, but claims to have successfully tested it against a Google Home device.
The vulnerability has been patched by SQLite developers with the release of version 3.26.0 on December 1. It has also been addressed in Chromium and in Chrome (with the release of Chrome 71 on December 4). Google has classified the vulnerability as “high severity,” but it has yet to determine the bug bounty it will pay to the researchers who discovered it.
The patches have already been used to create a PoC exploit that crashes Chrome and the Electron development framework. However, there is no evidence that the vulnerability has been exploited for malicious purposes.
Dr. D. Richard Hipp, the creator of SQLite, confirmed someone’s suspicion on Hacker News that the vulnerability only impacts systems that accept and run arbitrary SQLite queries, rather than all applications that only use SQLite for database management.
“The vulnerability only exists in applications that allow a potential attacker to run arbitrary SQL. If an application allows that, it is usually called an ‘SQL Injection’ vulnerability and is the fault of the application, not the database engine. The one notable exception to this rule is WebSQL in Chrome,” Hipp explained.