SQLite zero-day vulnerabilities could allow DOS attack and database hacking

Despite the measures imposed for the fight against coronavirus, the cybersecurity community keeps working. Cyber security solutions specialists have revealed the finding of a set of vulnerabilities in SQLite, the popular ACID-compliant relational database management system. If exploited, these security flaws would allow the deployment of various malicious scenarios such as denial of service (DDoS) attacks, database hacking and sensitive information leaking.

Below is a brief description of each of the faults found, with their respective Common Vulnerability Scoring System (CVSS) identification key.

CVE-2020-11655: This is an insufficient validation flaw of user input when improperly handling the initialization of the AggInfo object. Its exploitation allows a remote threat actor to deploy denial-of-service attacks by sending specially designed information using a formatted function query, triggering the DDoS condition. 

The vulnerability is considered medium severity and no workarounds are known at the moment. This flaw is found in SQLite versions: SQLite 3.31.0 and 3.31.1

So far no cases of exploitation have been reported in the wild, nor have the existence of malware to exploit this vulnerability. Cyber security solutions specialists recommend staying on top of the release of relevant updates.

CVE-2020-11656: This is a use-after-free vulnerability that exists due to a failure after the implementation of ALTER TABLE. A remote hacker could execute arbitrary code on the target system to take control of the victim’s device. Experts in cyber security solutions specialists have not reported the development of security updates or the existence of an alternative solution to mitigate the risk of exploitation.

The flaw exists in SQLite versions 3.31.0 and 3.31.1 and can be exploited remotely by threat actors remotely. To trigger the exploit, the hacker would have to send a specially crafted request to the vulnerable application and complete the attack.

So far it is still unknown whether an exploit exists to complete the attack, although specialists recommend that affected system administrators keep alert about the release of relevant updates to prevent this attack variant.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.