Magellan 2.0 Vulnerabilities

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Magellan 2.0 Vulnerabilities

Ware, Ryan R
Hello folks,

First, I want to thank everyone for the great work you do on sqlite.  I’m sure it’s no surprise, but sqlite is used heavily at Intel.

We've been following the Magellan 2.0 (https://blade.tencent.com/magellan2/index_en.html) issues found by Tencent.  One of the things I've found is that the five CVEs in question only have CPE (https://cpe.mitre.org) information for Chrome.  Because of that, there's no automated way to query the National Vulnerability Database for sqlite issues and have these 5 CVEs come up.  Does anyone here know if someone is working on updating the CPE info in these 5 CVEs?

Thanks,

Ryan

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Magellan 2.0 Vulnerabilities

Richard Hipp-3
On 1/8/20, Ware, Ryan R <[hidden email]> wrote:
>
> We've been following the Magellan 2.0
> (https://blade.tencent.com/magellan2/index_en.html) issues found by Tencent.
>

Why, oh why, are you doing this?

If you are a typical user of SQLite, then there are no vulnerabilities
in SQLite that you need to concern yourself with.

Now, if you have some application that allows anonymous rogue agents
on the internet to run arbitrary, unfiltered SQL statements using
SQLite, and if you enable the legacy "FTS3" extension, then the
so-called "Magellan 2.0" issues might be of concern to you.  But we
only know of a single application that fits this description - WebKit.
- and that application was patched within hours of the hack becoming
known, which was many months ago.

Tencent has a amazing marketing organization that is remarkably
effective at promoting and amplifying every little trifling bug that
their hackers find and make it sound like it will bring an end to
civilization.  I suggest that you not be drawn into the hype.

If Intel has some super-sensitive or especially vulnerable application
using SQLite that we don't know about, then you can take out a
cost-efficient consulting contract with us and we will work closely
and confidentially with you to secure your application against past
and future hacks and ensure that you stay up-to-date with all the
latest patches.  Otherwise, please just ignore Tencent.  Excessive
focus on Tencent and their vulnerability marketing organization will
merely distract you from defending against actual threats.

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Magellan 2.0 Vulnerabilities

Ware, Ryan R


On Wednesday, January 8, 2020 at 3:49:37 PM Richard Hipp said:
> On 1/8/20, Ware, Ryan R <[hidden email]> wrote:
> >
> > We've been following the Magellan 2.0
> > (https://blade.tencent.com/magellan2/index_en.html) issues found by Tencent.
> >
>
> Why, oh why, are you doing this?

Hey Richard.  Thanks for responding.  I'm doing this because while the CVEs clearly call out SQLite as the component that needed the fix, I haven't seen any statement from the SQLite community on the general applicability of the vulnerability.  I can only find Tencent's statement and no feedback from others such as yourself who actually work on SQLite.

> If you are a typical user of SQLite, then there are no vulnerabilities
> in SQLite that you need to concern yourself with.

Understood.  Please understand that Intel likely utilizes SQLite in some non-typical ways and so we need to have a broad understanding of the issues.

> Now, if you have some application that allows anonymous rogue agents
> on the internet to run arbitrary, unfiltered SQL statements using
> SQLite, and if you enable the legacy "FTS3" extension, then the
> so-called "Magellan 2.0" issues might be of concern to you.  But we
> only know of a single application that fits this description - WebKit.
> - and that application was patched within hours of the hack becoming
> known, which was many months ago.

And the response is great and needs to be celebrated.  I'm simply trying to understand since I haven't seen a clear statement in the non-WebKit case of if the vulnerabilities are applicable.  Your statement above helps.

> Tencent has a amazing marketing organization that is remarkably
> effective at promoting and amplifying every little trifling bug that
> their hackers find and make it sound like it will bring an end to
> civilization.  I suggest that you not be drawn into the hype.

I understand your concerns here.  I definitively don't want to be drawn into the hype which is why I'm coming to the community to find the right information.  Lacking a statement from the community on it (and I see absolutely nothing on sqlite.org or in the mail list archive specifically about these issues), it leaves others outside the community with an inability to draw the right conclusions.

> If Intel has some super-sensitive or especially vulnerable application
> using SQLite that we don't know about, then you can take out a
> cost-efficient consulting contract with us and we will work closely
> and confidentially with you to secure your application against past
> and future hacks and ensure that you stay up-to-date with all the
> latest patches.  Otherwise, please just ignore Tencent.  Excessive
> focus on Tencent and their vulnerability marketing organization will
> merely distract you from defending against actual threats.

I am very aware of the motivations of the security researchers.  It's a world I live in daily.  In an absence of conflicting information and the legitimatization of the issues via inclusion in NVD, there should be little surprise at any conclusion made by people external to the SQLite community.  Given 4 of the 5 CVEs in question call out SQLite in the first sentence of the description, it might behoove the community to call out their position clearly.

Ryan

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Magellan 2.0 Vulnerabilities

Simon Slavin-3
On 9 Jan 2020, at 12:18am, Ware, Ryan R <[hidden email]> wrote:

> I see absolutely nothing on sqlite.org or in the mail list archive specifically about these issues

If someone reports a vulnerability here, it gets acknowledged here.  But I don't think Tencent posts here.

On 8 Jan 2020, at 10:27pm, Ware, Ryan R <[hidden email]> wrote:

> We've been following the Magellan 2.0 (https://blade.tencent.com/magellan2/index_en.html) issues found by Tencent.

From the page at that URL:

" If you are using a software that is using SQLite as component (without the latest patch, which is 13 Dec 2019), and it supports external SQL queries. Or, you are using Chrome that is prior to 79.0.3945.79 with WebSQL enabled, you may be affected. "

In other words, the problem reported was patched in SQLite on 2019/12/13, and patched in version 79.0.3945.79 of Chrome.

> Does anyone here know if someone is working on updating the CPE info in these 5 CVEs?

You would need to ask someone who works on the CPE database.  That's not us.  However, from

<https://nvd.nist.gov/vuln/detail/CVE-2019-13734>

"Known Affected Software Configurations: Up to (excluding)
79.0.3945.79"

In other words, the problem was fixed in Chrome 79.0.3945.79. That information was placed on the page on or before 2019/12/16.  I'm not sure what more you expect them to do.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users