SQLite is a cross-platform relational database management system. It is known to be the most used database engine in the world. The vendor claims that there are billions of deployments of SQLite and is used by several applications like Skype, Firefox, Chrome, Safari, etc. Researchers showcased how SQL language can be used to exploit the memory corruption issues within SQLite at DEF CON 27.
A remote code execution vulnerability was discovered in SQLite by Checkpoint researchers. The researchers used Query Hijacking and Query Oriented Programming to exploit the memory corruption vulnerabilities in SQLite. This vulnerability exists because third-party applications read data from the SQLite database in an insecure manner. A typical exploit scenario could include an attacker storing malicious code on the database. When an application tries to access data from this database, the malicious code gets executed. But it is also worthy to note that an attacker needs to have filesystem access permissions to modify the contents of the SQLite database file.
This flaw does not spare the oh-so secure Apple devices either. The researchers demonstrated how a simple and standard application like Apple iOS Contacts can be used to run malicious code on the device using a four-year-old unpatched bug (CVE-2015-7036) in Apple iOS. This bug was considered unimportant as it allowed untrusted applications to execute arbitrary SQL commands. Apple does not run unknown applications and hence the bug was considered trivial. However, the researchers proved that a trusted application could also use this flaw to execute arbitrary code.
These vulnerabilities were reported to Apple and a fix was issued for the vulnerabilities in the May 2019 updates with the release of macOS Mojave 10.14.5, iOS 12.3, tvOS 12.3, iCloud, iTunes and watchOS 5.2.1. These vulnerabilities were identified as :
- CVE-2019-8600 – Arbitrary Code Execution Vulnerability
- CVE-2019-8598 – Information Disclosure Vulnerability
- CVE-2019-8602 – Elevation of Privilege Vulnerability
- CVE-2019-8577 – Elevation of Privilege Vulnerability
It is advised to install the updates from Apple (if not already applied) while the other vendors’ research and fix the vulnerabilities.
Platforms using SQLite are prone to Remote Code Execution Vulnerability. Given the fact that SQLite is used by many applications, this could prove as a starting point for an entire range of vulnerabilities in various applications. This type of vulnerability could be present on other SQL engines too.
An attacker who has access to the filesystem can inject malicious code into the SQLite database files. The malicious code gets executed when an application tries to read data from this file.
Apple released updates in May 2019 to address these vulnerabilities. We will keep you informed about updates as and when they are released by other vendors.
Please refer to this KB Article.