Severe bugs in the ubiquitous SQLite engine – used in thousands of software applications – continue to pose a major security threat, security researchers say, with Red Hat admitting today that its flagship Red Hat Enterprise Linux (RHEL) 8 remains vulnerable, despite patching other products this week.
Red Hat said in a security update it had now inoculated RHEL 7 and its “RHEL 8.0 Update Services for SAP Solutions”, but RHEL 8 itself remains affected by one of the vulnerabilities, first disclosed to the Chromium team by China’s Tencent Blade – which dubbed them “Magellan 2.0” – in October 2019.
(Computer Business Review has contacted Red Hat’s product security team for further information and an ETA on a RHEL 8 patch. Update to follow).
What is the SQLite Vulnerability?
The vulnerability in question, CVE-2019-13734, was reported by Tencent Blade in early December as one of a series of exploitable holes in the SQLite engine. It is described as “out of bounds write in SQLite… [that] allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.”
(SQLite is a lightweight SQL database engine and the most-used database engine in the world. It is built into the vast majority of mobile phones and most computers and comes bundled inside huge numbers of other applications.)
Tencent’s disclosure followed the 2018 discovery by the same team of the “Magellan” vulnerabilities, which affected a sweeping array of software tools that use Chromium, Webview, or which have a SQLite component.
While Tencent says it hasn’t seen exploits in the wild and Computer Business Review has yet to see a proof-of-concept of the attack* – which if weaponised would hand hackers the keys to the kingdom across a worryingly broad array of endpoints – security researchers heading upstream can find enough detail to suggest public exploits are not far off (if we have not overlooked them).
*Let us know if we have missed something.
Magellan 2.0 on its way! Blade researcher @leonwxqian found another set of vulnerabilities in #SQLite which can result in remote code execution via WebSQL, leaking program memory or possible program crashes.
More Q&As can be found at https://t.co/G7DphI0Smb— Tencent Blade Team (@tencent_blade) December 24, 2019
Who else is affected? Tencent Blade notes that “if you are using software that is using SQLite as component without the latest patch, which is 13 Dec 2019, and it supports external SQL queries [you are affected]. [Users of] Chrome that is prior to 79.0.3945.79 with WebSQL enabled” [are also vulnerable].
The company added: “Other devices such as PC/Mobile devices/IoT devices may also be affected, [this] depends on if there’s a proper attack surface.”
Among the Red Hat products affected by the vulnerability that it did patch today, as noted in its security advisory, were:
- Red Hat Enterprise Linux Server 7 x86_64
- Red Hat Enterprise Linux for x86_64 – Extended Update Support 7.7 x86_64
- Red Hat Enterprise Linux Server – AUS 7.7 x86_64
- Red Hat Enterprise Linux Workstation 7 x86_64
- Red Hat Enterprise Linux Desktop 7 x86_64
- Red Hat Enterprise Linux for IBM z Systems 7 s390x
- Red Hat Enterprise Linux for IBM z Systems – Extended Update Support 7.7 s390x
- Red Hat Enterprise Linux for Power, big endian 7 ppc64
- Red Hat Enterprise Linux for Power, big endian – Extended Update Support 7.7 ppc64
- Red Hat Enterprise Linux for Scientific Computing 7 x86_64
- Red Hat Enterprise Linux EUS Compute Node 7.7 x86_64
- Red Hat Enterprise Linux for Power, little endian 7 ppc64le
- Red Hat Enterprise Linux for Power, little endian – Extended Update Support 7.7 ppc64le
- Red Hat Enterprise Linux Server – TUS 7.7 x86_64
- Red Hat Enterprise Linux Server (for IBM Power LE) – Update Services for SAP Solutions 7.7 ppc64le
- Red Hat Enterprise Linux Server – Update Services for SAP Solutions 7.7 x86_64