More than one trillion SQLite databases potentially active in myriad operating systems, browsers, and applications

UPDATED SQLite has issued a security patch after the discovery of a use-after-free bug that, if triggered, could lead to arbitrary code execution or denial of service (DoS).

The highest threat to systems running affected versions of SQLite, a C-language library that implements an SQL database engine, is to system availability, according to a Red Hat Bugzilla thread.

However, the flaw is only marked as medium severity because exploitation depends on attackers already having “access to query the data in the database”, noted Todd Cullum, senior product security engineer at Red Hat, an open source software vendor.

Richard Hipp, who launched the SQLite project in 2000 and remains its architect, didn’t think the vulnerability posed a serious threat.

If an SQL injection bug exists on a target system then it might be possible – dependent on other protections in place – to cause SQLite to read a previously freed data structure and potentially cause a crash, he told The Daily Swig. “More likely, it will just cause SQLite to return a goofy answer.”

As a read – rather than write – after free bug, “there are no known paths to an RCE”, he added. “So really, this problem allows an attacker to escalate an SQL injection vulnerability in the application into a denial of service.”

But in that case, “the attacker already has a more trivial denial of service by simply sending in a (well-formed) SQL statement that runs forever. So it isn’t clear that this bug gives an attacker any new capabilities.”

Vast attack surface

If the impact of the vulnerability is described as moderate, then surely few other applications present such an enormous attack surface.

Open source SQLite “is likely used more than all other database engines combined”, claims the SQLite website, which estimates the number of active SQLite databases at more than one trillion.

Catch up on the latest security vulnerability news

The relational database management system is built into all 3.5 billion active smartphones, as well as all Apple Macs and Windows 10 machines; Firefox, Chrome, and Safari web browsers; Skype, iTunes, and Dropbox; and most smart TVs, among many more applications.

Inti De Ceukelaire, head of hackers at bug bounty platform Intigriti, told The Daily Swig that the bug’s moderate severity might instil a false sense of security into some vendors.

“The problem with these kind of medium severity vulnerabilities is that vendors will often not consider fixing it until real-world impact is shown,” he explains. “This is a highly contextual vulnerability that would only work in specific situations.

“Therefore, I do not expect that vendors will make breaking changes in order to mitigate this vulnerability, which could potentially lead to chained attacks of unpatched systems in the future.”

WHERE the flaw was found

Found in SQLite’s SELECT query functionality (src/select.c), the issue arose because of a “problem handling sub-queries with both a correlated WHERE clause and a ‘HAVING 0’ clause where the parent query is itself an aggregate”, according to a vulnerability alert published by Ubuntu, the Linux distribution, on February 5.

The problem was apparently introduced by a code change implemented in June 2020.

Todd Cullum of Red Hat expanded on this analysis: “The WHERE clause (a=2), uses an aggregate column from the outer query.

“If the HAVING term (0) is moved into the WHERE clause in this case, SQLite would at one point optimize (a=2 AND 0) to simply (0). Which is logically correct, but happened to cause problems in aggregate processing for the outer query.”

Updates and recommendations

The security flaw, which affects the SQLite 3 release line, was first flagged in an SQLite bug tracker on January 19, then patched the following day in version 3.341 on January 20.

The issue (CVE-2021-20227) was resolved by adding “the ExprAlwaysFalse(pExpr)==0 check to the if statement before the business logic in havingToWhereExprCb() in file src/select.c,” according to Cullum.

Ubuntu updated its software accordingly on February 11, while the latest versions of Red Hat Enterprise Linux – 6, 7, and 8 – are unaffected as they run SQLite versions that predate the commit that introduced the bug.

A security bulletin issued by AUSCert (Australia’s Computer Emergency Response Team), confirmed that the flaw is exploitable on Ubuntu, Windows, UNIX, Linux, and OSX operating systems.

“Even though there are no known vulnerabilities due to this bug, it does come close to being an opportunity to escalate an SQLi into something more serious, so it is still good to upgrade, if only for defense-in-depth,” said Richard Hipp of SQLite.

This article was updated on January 16 with comments from Richard Hipp and Inti De Ceukelaire.

YOU MAY ALSO LIKE Measuring risk: Organizations urged to choose defense-in-depth over CVE whack-a-mole