Tencent Blade experts reported that five new vulnerabilities were discovered in SQLite, collectively called Magellan 2.0 (CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752 and CVE-2019-13753). They allow you to remotely run arbitrary code in the Chrome browser, and also lead to a memory leak or a crash in the program.
The problem is dangerous for any applications that use SQLite, but the risks for Chrome users are higher due to the WebSQL API, which puts users at risk of remote attacks. Opera users also face similar risks.
Let me remind you that a year ago, in December 2018, the same specialists discovered dangerous problems in SQLite, which were called Magellan (CVE-2018-20346, CVE-2018-20505 and CVE-2018-20506.). Bugs allowed to execute arbitrary code, led to a memory leak of programs, “crashes” of applications and in total threatened thousands of mobile and desktop products. Since SQLite can be found in a wide variety of solutions, the problem affected IoT devices, desktop software, browsers and applications for iOS and Android.
Now, Tencent Blade researchers have talked about new bugs that are also associated with incorrect input validation in SQL commands that the SQLite database receives from third parties. As a result, to exploit the problem, the attacker just needs to create an SQL operation containing malicious code. That is, a malicious site can use Magellan 2.0 to run malicious code in the browsers of its visitors.
Fortunately, the researchers report that Chrome developers have already fixed all bugs from Magellan 2.0 with the release of Chrome 79.0.3945.79, which took place two weeks ago. SQLite developers also fixed bugs as early as December 13, 2019, but these patches have not yet been included in the stable SQLite branch (3.30.1, released on December 10, 2019, remains the newest version).
Tencent Blade experts emphasize that they are not aware of the existence of any exploits for the detected problems, nor about cases of attacks on these vulnerabilities. In the near future, the researchers intend to publish more detailed information about the vulnerabilities, but so far they have limited themselves to a summary of their findings, giving application developers the opportunity to update.