Magellan RCE flaw in SQLite potentially affects billions of apps

Pierluigi Paganini December 15, 2018

Security experts at Tencent’s Blade security team discovered the Magellan RCE flaw in SQLite database software that exposes billions of vulnerable apps.

Security experts at Tencent’s Blade security team have discovered a critical vulnerability in SQLite database software that exposes billions of vulnerable apps to hackers.

The vulnerability tracked as ‘Magellan‘ could allow remote attackers to execute arbitrary on vulnerable devices, leak program memory or cause dos condition with application crash.

“Magellan is a remote code execution vulnerability discovered by Tencent Blade Team that exists in SQLite. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. ” reads a blog post published by the Tencent Blade Team.

SQLite is a widely adopted relational database management system contained in a C programming library. Unlike many other database management systems, SQLite is not a client–server database engine. Rather, it is embedded into the end program.

SQLite is used by millions of applications with billions of installs, Magellan potentially affects IoT devices, macOS and Windows apps.

Experts also tested Chromium and discovered it was affected too, Google has confirmed and fixed this issue.

Chromium-based web browser such as Google Chrome, Opera, Vivaldi, and Brave also support SQLite through the deprecated Web SQL database API.

Experts warn that a remote attacker can easily target people using vulnerable browsers by tricking them visiting a specially crafted web-page.

“After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.” continues the post.

SQLite version 3.26.0 addresses the Magellan flaw, Google released Chromium version 71.0.3578.80 to fix the issue and rolled out the patched version to the latest version of Google Chrome and Brave web-browsers.

The Tencent experts said they successfully build a proof-of-concept exploit using the Magellan flaw that worked against Google Home.

Experts did not disclose the exploit to allow development teams to address flawed applications. The good news is that experts have not seen attacks abusing the Magellan flaw yet.

Users and administrators have to update their systems and vulnerable applications as soon as possible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –Magellan flaw, hacking)

[adrotate banner="5"]

[adrotate banner="13"]

you might also like

leave a comment