SQLite vulnerability "Magellan"

ryot
ryot
Community Member
edited December 2018 in Lounge

There was a recent discovery of a vulnerability in SQLite (and Chromium) and v3.26.0 of SQLite fixes it. I've read that 1Password uses SQLite so I wanted to give a heads up in case it is relevant. https://blade.tencent.com/magellan/index_en.html


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks! 1Password uses a database like this, but all of the data is encrypted. Also, my understanding of the vulnerability is that it involves a database server, which differs from 1Password. One less thing to have to worry about when flaws like this are discovered!

  • wkleem
    wkleem
    Community Member
    edited December 2018

    Hi

    While 1Password may not be affected, it appears from the FAQ that Chromium/Chrome and other browsers could be?

    https://blade.tencent.com/magellan/index_en.html

    "(1) Am I affected by the vulnerability?
    If you use a device or software that uses SQLite or Chromium. It may be affected, depending on whether there is a suitable attack surface.

    (2) What is the danger of this vulnerability?
    Remote code execution, leaking program memory or causing program crashes.

    (3) Does this vulnerability have exploit code?
    Yes, we successfully exploited Google Home with this vulnerability, and we currently have no plans to disclose exploit code.

    (4) What are the conditions for exploiting the vulnerability?
    This vulnerability can be triggered remotely, such as accessing a particular web page in a browser,Or any scenario that can execute SQL statements.

    (5) Has "Magellan" been abused in the wild?
    We have not seen the case yet.

    (6) Is there a workaround/fix?
    We have reported all the details of the vulnerability to Google and they have fixed the vulnerability ( commit ). If your product uses Chromium, please update to the official stable version 71.0.3578.80( Release updates). If your product uses SQLite, please update to 3.26.0 ( Release updates).The CVE number is pending."

    I am at Chrome v71.0.3578.98

  • AGAlumB
    AGAlumB
    1Password Alumni

    Just to give a brief update, there have been hints that there is more to this issue than originally reported, but the details released so far have been spotty, and additional information is not yet forthcoming. We still don't have any reason to believe that 1Password is affected in any way at this time, but we're watching for further developments just in case -- again, because details are scarce thusfar. I suspect that, as Chrome is perhaps the highest-profile software involved, as Google releases updates more information will come to light to make all of this clearer. There's probably some responsible disclosure agreement/courtesy involved in keeping things under wraps as far as public dissemination until that time.

  • wkleem
    wkleem
    Community Member
    edited December 2018

    @brenty,

    Depending on who's side it is, the threat's scope may or may not be exaggerated.

    https://nakedsecurity.sophos.com/2018/12/19/sqlite-creator-fires-back-at-tencents-bug-hunters/

This discussion has been closed.