Many applications using the popular SQLite database management system could be exposed to attacks due to a potentially serious vulnerability that can lead to remote code execution, information disclosure, and denial-of-service (DoS) attacks.
The vulnerability was discovered by researchers of the Blade Team at China-based internet giant Tencent. The experts have named the flaw “Magellan” and they claim it affects any piece of software that uses SQLite or Chromium – Chromium relies on WebSQL, which is based on SQLite.
According to Tencent Blade researchers, the vulnerability can be exploited remotely by getting the targeted user to access a specially crafted web page. Tencent Blade says it’s not releasing any details or exploit code, but claims to have successfully tested it against a Google Home device.
The vulnerability has been patched by SQLite developers with the release of version 3.26.0 on December 1. It has also been addressed in Chromium and in Chrome (with the release of Chrome 71 on December 4). Google has classified the vulnerability as “high severity,” but it has yet to determine the bug bounty it will pay to the researchers who discovered it.
The patches have already been used to create a PoC exploit that crashes Chrome and the Electron development framework. However, there is no evidence that the vulnerability has been exploited for malicious purposes.
Dr. D. Richard Hipp, the creator of SQLite, confirmed someone’s suspicion on Hacker News that the vulnerability only impacts systems that accept and run arbitrary SQLite queries, rather than all applications that only use SQLite for database management.
“The vulnerability only exists in applications that allow a potential attacker to run arbitrary SQL. If an application allows that, it is usually called an ‘SQL Injection’ vulnerability and is the fault of the application, not the database engine. The one notable exception to this rule is WebSQL in Chrome,” Hipp explained.
Related: Critical Vulnerability Addressed in Popular Code Libraries