A use-after-free vulnerability in SQLite could be exploited by an attacker to remotely execute code on a vulnerable machine, Cisco Talos security researchers have discovered.
Tracked as CVE-2019-5018 and featuring a CVSS score of 8.1, the vulnerability resides in the window function functionality of Sqlite3 3.26.0 and 3.27.0.
To trigger the flaw, an attacker would need to send a specially crafted SQL command to the victim, which could allow them to execute code remotely.
The popular SQLite library, a client-side database management system, is widely used in mobile devices, browsers, hardware devices, and user applications, Talos notes.
SQLite implements the Window Functions feature of SQL, allowing queries over a subset, or “window,” of rows, and the newly revealed vulnerability was found in the “window” function.
The security researchers discovered that, after the parsing of a SELECT statement that contains a window function, in certain conditions, the expression-list held by the SELECT object is rewritten and the master window object is used during the process.
When processing an aggregate function and after it is appended to the expression list, the expression is deleted. During deletion, if the expression is marked as a Window Function, the associated Window object and partition for the Window are deleted as well.
The deleted partition is reused after the rewrite of the expression list, which causes a use-after-free vulnerability that leads to a denial of service. However, if the attacker could control the memory after the free, they can corrupt more data and potentially execute code.
“Talos tested and confirmed that versions 3.26.0 and 3.27.0 of SQLite are affected by this vulnerability,” the researchers note.
The security researchers, who published proof-of-concept code, reported the vulnerability to the vendor in early February. An update to patch the issue had been released weeks before the advisory was made public.
Related: Code Execution Flaw in SQLite Affects Chrome, Other Software
Related: JavaScript Library Introduced XSS Flaw in Google Search
More from Ionut Arghire
- Russian National Arrested, Charged in US Over Role in LockBit Ransomware Attacks
- Russian Hackers Using USB-Spreading Malware in Attacks on Ukrainian Government, Military
- CISA, NSA Share Guidance on Hardening Baseboard Management Controllers
- XSS Vulnerabilities in Azure Led to Unauthorized Access to User Sessions
- SquareX Launches Bug Bounty Program for Browser Security Product
- US Organizations Paid $91 Million to LockBit Ransomware Gang
- CISA Instructs Federal Agencies to Secure Internet-Exposed Devices
- Hundreds of Thousands of eCommerce Sites Impacted by Critical Plugin Vulnerability
Latest News
- In Other News: Linux Kernel Exploits, Update on BEC Losses, Cybersecurity Awareness Act
- Russian National Arrested, Charged in US Over Role in LockBit Ransomware Attacks
- Russian Hackers Using USB-Spreading Malware in Attacks on Ukrainian Government, Military
- Ransomware Group Starts Naming Victims of MOVEit Zero-Day Attacks
- CISA, NSA Share Guidance on Hardening Baseboard Management Controllers
- Content Moderation Tech Startup Trust Lab Snags $15M Investment
- OT Security Firm Shift5 Adds $33 Million in Funding
- XSS Vulnerabilities in Azure Led to Unauthorized Access to User Sessions
