Saturday, December 7, 2024
HomeCVE/vulnerability22-Yrs-Old SQLite Bug Let Hackers Perform Code Execution & DOS Attack On...

22-Yrs-Old SQLite Bug Let Hackers Perform Code Execution & DOS Attack On Control Programs

Published on

SIEM as a Service

Trail of Bits researcher Andreas Kellas recently disclosed a 22-Years-Old SQLite bug which has been tracked as “CVE-2022-35737.” The SQLite database library has been found to contain this vulnerability that has a high severity level.

In October 2000 several code changes were made which led to the occurrence of this high-severity vulnerability. Threat actors could exploit this flaw to crash and control programs if they succeeded in exploiting it.

While it has been confirmed that this severe SQLite Bug could be exploited on systems that are based on 64-bit architecture. However, the extent to which a program is exploitable depends on the way it is compiled.

- Advertisement - SIEM as a Service

Flaw Profile

  • CVE ID: CVE-2022-35737
  • CVSS score: 7.5
  • Severity: High
  • Current Description: SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

Technical Analysis

Using this issue SQLite Bug, an attacker could execute arbitrary code on the affected system as a result of exploiting the vulnerability. SQLite’s printf functions require attackers to pass large strings as inputs and the format string contains %Q, %q, or %w substitutions.

According to the report, The following are the affected versions as well as the version that has been fixed:-

  • SQLite version 1.0.12 was affected by this flaw that was released on October 17, 2000.
  • In SQLite version 3.39.2 the flaw was fixed and this version was released on July 21, 2022.

This severe vulnerability has been discovered in the way the string formatting is handled by a function that is known as “sqlite3_str_vappendf” and this function is called by printf.

When a library is compiled without stack canaries, the possibility of running arbitrary code is confirmed. But, the presence of stack canaries implies the execution of arbitrary code, whereas DDoS is always confirmed in all cases.

The SQLite database engine was developed in C and is widely used today. The following operating systems and web browsers include it by default:-

OS:

  • Android
  • iOS
  • Windows
  • macOS

Web Browsers:

  • Google Chrome
  • Mozilla Firefox
  • Apple Safari

The SQLite printf function is not vulnerable to widespread attacks in all systems and applications that apply it. Besides being a very serious vulnerability, it is also an example of a scenario that was once considered to be unfeasible decades ago.

Managed DDoS Attack Protection for Applications – Download Free Guide

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

Multiple SonicWall Vulnerabilities Let Attackers Execute Remote Code

SonicWall has issued a critical alert regarding multiple vulnerabilities in its Secure Mobile Access...