SQLite patches arbitrary code execution vulnerabilities causing denial-of-service exploits

SQLite has issued a security patch after the discovery of a use-after-free bug that, if triggered, could lead to arbitrary code execution or denial of service (DoS). The highest threat to systems which are running under the affected versions of SQLite, a C-language library that implements an SQL database engine, is to system availability, according to a Red Hat Bugzilla thread. The flaw is only marked as medium severity because exploitation depends on attackers already having access to query the data in the database. As a read – rather than write – after free bug, there are no known paths to an RCE and so the problem allows an attacker to escalate an SQL injection vulnerability in the application into a denial of service. The attacker already has a more trivial denial of service by simply sending in a (well-formed) SQL statement that runs forever and so it isn’t clear that this bug gives an attacker any new capabilities.

Affected CVE: CVE-2021-20227

Impact of the attack

  1. SQLite is used more than all other database engines combined, claims the SQLite website, which estimates the number of active SQLite databases at more than one trillion.
  2. The relational database management system is built into all 3.5 billion active smartphones, as well as all Apple Macs and Windows 10 machines; Firefox, Chrome, and Safari web browsers; Skype, iTunes, and Dropbox; and most smart TVs, among many more applications.
  3. The problem with medium severity vulnerabilities is that it does not fix until and unless there is a worldwide impact of the same, they are aware that such vulnerabilities occur in only particular situations and so they can continue without fixing such vulnerability which thereby increases the impact of the attack. 

How does the exploitation work?

  1. SQLite’s SELECT query functionality (src/select.c), the issue arose because of a “problem handling sub-queries with both a correlated WHERE clause and a ‘HAVING 0’ clause where the parent query is itself an aggregate”, according to a vulnerability alert published by Ubuntu, the Linux distribution, on February 5.
  2. The problem was apparently introduced by a code change implemented in June 2020. If the HAVING term (0) is moved into the WHERE clause in this case, SQLite would at one point optimize (a=2 AND 0) to simply (0). Which is logically correct, but happened to cause problems in aggregate processing for the outer query.

Recommendations

  1. The security flaw, which affects the SQLite 3 release line, was first flagged in an SQLite bug tracker on January 19, then patched the following day in version 3.341 on January 20.
  2. The issue was resolved by adding “the ExprAlwaysFalse(pExpr)==0 check to the if statement before the business logicin havingToWhereExprCb() in file src/select.c,” according to Cullum.
  3. Ubuntu updated its software accordingly on February 11, while the latest versions of Red Hat Enterprise Linux – 6, 7, and 8 – are unaffected as they run SQLite versions that predate the commit that introduced the bug.
  4. A security bulletin issued by AUSCert (Australia’s Computer Emergency Response Team), confirmed that the flaw is exploitable on Ubuntu, Windows, UNIX, Linux, and OSX operating systems.