3. Attacker that has access to user account and has full privileges can also read uninitialized memory, but then they can also read any memory they want. This can lead to remote code execution if there is a vulnerable stored procedure in the database or any other vulnerable piece of software on the Scylla cluster. All of the above exploits can be prevented by not using fake length values for uncompressed data in queries. Scylla allows users to provide uncompressed data in queries through the --uncompressed option, and for fields that don't have a specified length, Scylla uses an arbitrary value of length_bytes. These options can be changed in Scylla configuration file, and in CQL (through cqlsh command line), the uncompressed data can be specified with the --uncompressed option.
Scylla: How Bad Is It?
Scylla is a popular open source, high-performance NoSQL database. It's a sharded clustered database that is often used in conjunction with Apache Cassandra for distributed data storage. Scylla has been the subject of multiple security vulnerabilities and exploits, some of which have led to remote code execution on the cluster.
These vulnerabilities appear to have been fixed in later versions of Scylla, but it's the responsibility of administrators and users alike to update their software (and if you're using Scylla in conjunction with Apache Cassandra, it's also recommended to update your Apache Cassandra installation as well). The latest versions of Scylla are 2016.2 and 3.0.1, which were released on April 5th, 2017 and October 19th, 2017, respectively.
Test setup and preparation
To test the vulnerabilities, the attacker first needs to get a shell on Scylla cluster, for example by exploiting Apache Struts 2 or other vulnerabilities that allow access to user account in order to gain administrator privileges. The attacker then needs to gain access to database. In this case, he can use the standard MariaDB database management tool, which is usually available through localhost:3306.
Scylla SQL Injection - CVE-2021-27754
SQL Injection is a vulnerability that occurs when an application receives user input that, instead of being properly verified and validated, has one or more SQL queries embedded in it. This vulnerability can be exploited to gain remote control of the database server by exploiting vulnerabilities in the application, the database server, or both.
Scylla was vulnerable to SQL injection due to lack of proper validation of user input before persisting it into the database. In particular, all problematic calls for inserting data were not properly checked for SQL injection. Additionally, there was a bypassable restriction on read-only fields that allowed any value written by user in those fields to be inserted as well. This would allow attackers with access to the Scylla instance to insert arbitrary data into the database and thus execute commands on behalf of other users who are accessing a Scylla instance from within their network.
Scylla query editor
Scylla query editor is a new feature that allows users to author their queries. It provides an interface for designing and debugging queries, which is similar to the interface of the SQL query language. The query editor provides syntax highlighting and contains a set of features that are not in other parts of CQL (e.g. text search).
Scylla SQL Injection Protection
Scylla SQL Injection protection (also known as zero-length protection) provides a way to prevent SQL injection vulnerabilities in the database by allowing users to specify the length of binary data in queries. This is not enabled by default, and it can be configured through Scylla configuration file, or with the cqlsh shell command line.
Timeline
Published on: 09/15/2022 22:15:00 UTC
Last modified on: 09/21/2022 14:17:00 UTC