Critical Format String Flaw Hits SurrealDB
A critical format string vulnerability in SurrealDB's rquickjs engine allows authenticated users to achieve arbitrary memory access or remote code execution.
SurrealDB has released a security update to address a critical format string vulnerability, tracked as CVE-2024-58366. The flaw resides within the rquickjs Exception::throw_type function and affects all versions of the database prior to 1.1.1, potentially allowing attackers with scripting privileges to compromise the underlying system.
What's at Risk
This vulnerability impacts any organization currently running SurrealDB versions 1.1.0 or earlier where scripting capabilities are enabled. Because SurrealDB is often deployed as a high-performance database layer, systems that expose scripting interfaces to users—even those with limited privileges—are at high risk of full system compromise.
Organizations that utilize SurrealDB in internet-facing or multi-tenant environments are at particular risk, as the vulnerability requires an attacker to possess scripting privileges to trigger the flaw. If an attacker can supply malicious input to the rquickjs engine, they can bypass standard application boundaries.
How the Flaw Works
A format string vulnerability occurs when an application passes user-supplied input to a function that interprets that input as a formatting template, such as those found in C-style programming languages. When an application fails to properly sanitize or validate this input, an attacker can pass special formatting characters to the function.
In general, this class of weakness allows an attacker to manipulate the program's stack or heap memory. By using specific format specifiers, an attacker can read sensitive data directly from the process memory or, in more severe cases, overwrite memory addresses to redirect program execution flow. This can lead to arbitrary code execution, where the attacker runs malicious commands with the same privileges as the database process itself, effectively granting them full control over the host environment.
How to Protect Your Systems
- Update your SurrealDB installation to version 1.1.1 or later immediately to patch the affected
rquickjscomponent. - Review and audit all user permissions to ensure that scripting privileges are restricted to trusted users only.
- Minimize the attack surface by ensuring that database instances are not exposed to the public internet unless absolutely necessary.
- Implement network segmentation to isolate database servers from critical internal infrastructure, limiting the potential impact of a successful compromise.
- Monitor server logs for unusual scripting activity or unexpected process behavior that could indicate an attempt to exploit the memory management of the database engine.
Given the critical CVSS score of 8.5, the potential for arbitrary code execution makes this a high-priority remediation task. Organizations should prioritize patching their SurrealDB deployments to prevent attackers from leveraging this memory corruption flaw to gain unauthorized access to host systems.
Continue Reading
Russian Infrastructure Targeted by HelloNet
Threat actors are weaponizing legitimate security software updates to infiltrate high-value government and private sector networks.
SonicWall SMA Breach: Root-Level Risk
A sophisticated threat actor utilized zero-day exploits to gain deep access to SonicWall VPN appliances before official patches existed.
Critical SQL Injection Hits GisLab System
A critical SQL injection vulnerability in the GisLab Laboratory Management System allows unauthorized attackers to compromise sensitive database information.