DEV Community

Yawar Amin
Yawar Amin

Posted on

Vulnerability inflation in infosec

FOR a while now, people have been pointing out that security vulnerability reports, especially to the National Vulnerability Database, are getting inflated way beyond their actual level of severity. The SQLite team especially warn about this. Here's a good example: https://sqlite.org/forum/forumpost/d2415641c8

Richard Hipp says:

CVE-2023-36191 was written against this bug, 20 days after the bug was fixed. This post is to refute that CVE.

The error is a bug. It has been fixed. But it is not a vulnerability. You may safely ignore the CVE. Key points:...
The behavior is the same after the bug fix as it was before - the program issues an error message and stops. The "fix" just makes the error message a little nicer. Instead of printing "Segmentation Fault", it prints "Error: missing argument to --nonce" and then calls exit(1).

Here's the description in bug report filed to the Red Hat Bugzilla:

A segmentation fault was discovered in SQLite. This issue exists due to a boundary error within the /sqlite3_aflpp/shell.c which could allow a local user to send a specially crafted request to the database to trigger memory corruption and perform a denial of service (DoS) attack.

Yeah, the local user could perform a denial of service attack against themselves by passing a bad argument to the sqlite3 CLI tool and making it exit immediately. But 'specially crafted request to the database'? Come on. Here's the 'specially crafted' request:

% sqlite3 -nonce
zsh: segmentation fault  sqlite3 -nonce
Enter fullscreen mode Exit fullscreen mode

This never even reaches the database. The CLI exits immediately. These are the kinds of vulnerabilities that are getting filed nowadays: https://nvd.nist.gov/vuln/detail/CVE-2023-36191

This is described as:

sqlite3 v3.40.1 was discovered to contain a segmentation violation at /sqlite3_aflpp/shell.c.

What it fails to mention is that it's a segfault in the CLI tool which causes it to exit immediately. I mean sure, if you explicitly pass the incorrect -nonce flag to the tool, you can make it crap out and it will fail whatever script or interactive work you wanted to do. But is this a vulnerability? Come on.

Top comments (0)