Google Chrome Affected by Magellan 2.0 SQLite Vulnerabilities

One year and one week after the disclosure of the Magellan series of vulnerabilities in 2018, Magellan 2.0 is disclosed, bringing five new vulnerabilities with it.

Background

On December 23, 2019, the Tencent Blade Team published an advisory regarding “Magellan 2.0,” a new set of SQLite vulnerabilities discovered by researcher Wenxiang Qian differing from the original Magellan vulnerabilities disclosed last year.

Analysis

Information relating to Magellan 2.0 at present is limited to what has been disclosed in the advisory and the assignment of CVE IDs CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752 and CVE-2019-13753 on December 10, 2019. The Tencent Blade Team states that the impact of these vulnerabilities includes the leaking of program memory, causing program crashes and remote code execution.

The vulnerability in SQLite occurs when the SQLite database is passed a maliciously crafted SQL command that it executes on behalf of the attacker, exploiting the vulnerabilities highlighted by the Tencent Blade Team. Remote attacks like this against SQLite databases would require direct and improperly handled input between the SQLite database and the internet-facing application.

These vulnerabilities are remotely exploitable in Google Chrome as it comes with Web SQL Database installed by default, an API that translates JavaScript code into SQL commands to be executed by Google Chrome’s internal SQLite database, which is used to store user data and browser settings.

All applications implementing SQLite as a component and supporting SQL are affected if the latest patches are not applied. Chrome/Chromium users with versions prior to v79.0.3945.79 are also vulnerable. The Tencent Blade Team also noted that these vulnerabilities affect smart devices using an older version of Chrome/Chromium, browsers built using an older version of Chrome/Webview, Android apps using older versions of Webview and software that uses older versions of Chromium. The Tencent Blade Team states that they are working with vendors to address the issue and notes that, at present, there is no evidence of abuse in the wild.

No need to worry: SQLite and Google have already confirmed and fixed it and we are helping other vendors through it too. We haven't found any proof of wild abuse of Magellan 2.0 and will not disclose any details now. Feel free to contact us if you had any technical questions! https://t.co/3hUro9URWf

— Tencent Blade Team (@tencent_blade) December 24, 2019

Proof of concept

At the time this blog post was published, there was no proof of concept (PoC) available, but one may be released in the future. When asked if they will be releasing a PoC, the Tencent Blade Team stated, “Not yet. We follow the responsible vulnerability disclosure process and will not disclose the details of the vulnerability in advance 90 days after the vulnerability report.” They initially disclosed these vulnerabilities to Google and SQLite on November 16, 2019.

Solution

Tenable strongly advises organizations and individuals to upgrade to patched versions as soon as possible. On December 10, 2018, Google released 79.0.3945.79 ( Stable Channel Update for Desktop) for Chromium users. SQLite addressed the bugs on December 13, 2019, but has yet to release patches in a stable branch. We advise committing to this branch as soon as it is available.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

• Tencent Blade Team: Magellan 2.0
• Chrome Releases: Stable Channel Update for Desktop
• Latest Version of SQLite
• Tencent Blade Team: Magellan
• Tenable Magellan Blog

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.