Security experts at Tencent’s Blade security team discovered the Magellan RCE flaw in SQLite database software that exposes billions of vulnerable apps.
Security experts at Tencent’s Blade security team have discovered a critical vulnerability in SQLite database software that exposes billions of vulnerable apps to hackers.
The vulnerability tracked as ‘Magellan‘ could allow remote attackers to execute arbitrary on vulnerable devices, leak program memory or cause dos condition with application crash.
“Magellan is a remote code execution vulnerability discovered by Tencent Blade Team that exists in SQLite. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. ” reads a blog post published by the Tencent Blade Team.
SQLite is a widely adopted relational database management system contained in a C programming library. Unlike many other database management systems, SQLite is not a client–server database engine. Rather, it is embedded into the end program.
SQLite is used by millions of applications with billions of installs, Magellan potentially affects IoT devices, macOS and Windows apps.
Experts also tested Chromium and discovered it was affected too, Google has confirmed and fixed this issue.
Chromium-based web browser such as Google Chrome, Opera, Vivaldi, and Brave also support SQLite through the deprecated Web SQL database API.
Experts warn that a remote attacker can easily target people using vulnerable browsers by tricking them visiting a specially crafted web-page.
“After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.” continues the post.
SQLite version 3.26.0 addresses the Magellan flaw, Google released Chromium version 71.0.3578.80 to fix the issue and rolled out the patched version to the latest version of Google Chrome and Brave web-browsers.
The Tencent experts said they successfully build a proof-of-concept exploit using the Magellan flaw that worked against Google Home.
Experts did not disclose the exploit to allow development teams to address flawed applications. The good news is that experts have not seen attacks abusing the Magellan flaw yet.
Users and administrators have to update their systems and vulnerable applications as soon as possible.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.