CVE-2024-41436 - How a Buffer Overflow in ClickHouse v24.3.3.102 (DB::evaluateConstantExpressionImpl) Risks Your Data

In early June 2024, a severe buffer overflow vulnerability—CVE-2024-41436—was uncovered in ClickHouse v24.3.3.102. The security hole exists in the DB::evaluateConstantExpressionImpl function. This function is responsible for evaluating constant expressions inside the ClickHouse database engine. When it doesn’t properly check buffer boundaries, it opens a dangerous flaw: attackers can exploit this to crash the database or even execute arbitrary code.

This post breaks down CVE-2024-41436 in simple terms, shows code snippets, links key resources, and walks you through exploitation details so you can understand the real risks—especially if you’re running ClickHouse.

What is ClickHouse?

ClickHouse is a blazing-fast, open-source, column-oriented database management system frequently used for online analytical processing (OLAP). Its growing popularity means any high-severity problem can impact data-driven companies worldwide.

How the Flaw Works

The core of the issue is that DB::evaluateConstantExpressionImpl parses and evaluates constant expressions without appropriately checking if output fits in the destination buffer. If attackers can control what’s being parsed—especially complex or oversized constant expressions—they can make the function write beyond the bounds of the buffer.

This lets a remote attacker

- Crash ClickHouse (segmentation fault / DoS)

A slightly simplified look at the risky logic

// ClickHouse pseudo code (not exact source)
void DB::evaluateConstantExpressionImpl(const String &expr) {
    char buffer[256];
    // Risk: 'expr' can be user-controlled and much longer than 256 bytes
    strcpy(buffer, expr.c_str());   // No bounds checking!
    // ... process 'buffer' ...
}

If the input expr is longer than 256 bytes, the unsafe strcpy writes past buffer’s end, corrupting memory.

The Actual Commit

You can view the real (and patched) code in ClickHouse’s GitHub repo.

Exploit Scenario

Here’s how an attacker could exploit this buffer overflow—assuming they have any vector to inject a large constant expression (for example, via a SQL query):

SELECT 1
WHERE 
    (SELECT evaluateConstantExpression(
        REPEAT('A', 100) -- 100 chars, much longer than the buffer
    ));

If ClickHouse parses this query and reaches the risky function, it will attempt to copy the 100 "A"s into a 256-byte buffer, overflowing it.

Suppose you have access to ClickHouse (e.g., via HTTP API)

import requests

data = "SELECT evaluateConstantExpression('" + "A"*100 + "')"
r = requests.post('http://localhost:8123/';, data=data)
print(r.text)

If the server crashes or misbehaves, the exploit is likely working.

DoS – Most likely, attackers can crash ClickHouse processes by feeding oversized inputs.

- Arbitrary Code Execution – With more sophistication (especially using heap spraying or ROP chains), attackers could potentially gain remote code execution rights as the database process.
- Sensitive Data Exposure – Compromising the process’s memory could grant access to sensitive data.

clickhouse-server --version

  If you’re running v24.3.3.102 or earlier, assume you are at risk.

---

## Patch & Recommendations

The ClickHouse team patched this bug quickly. See GitHub PR #64480 for the actual fix. The repaired code uses strncpy or more modern safe string functions along with strict bounds checks:

cpp
strncpy(buffer, expr.c_str(), sizeof(buffer)-1);
buffer[sizeof(buffer)-1] = '\'; // secure zero-termination
`

### What you should do

- Upgrade immediately to the latest ClickHouse release
- Restrict public access to your ClickHouse servers
- Monitor logs for suspicious long expressions and sudden server restarts

---

## References

- Official ClickHouse Security Advisories
- Upstream Fix PR #64480 (GitHub)
- CVE-2024-41436 at NVD

---

## Final Thoughts

CVE-2024-41436 is a classic buffer overflow in a modern, widely used data platform. It’s a vivid reminder to keep up with security patches and monitor how your applications process user input—even in backend systems. ClickHouse users should patch *now* to prevent easy exploitation.

Have more questions or need help? [Contact ClickHouse Security Team](mailto:security@clickhouse.com).

Stay safe and keep your databases secure!

Timeline

Published on: 09/03/2024 19:15:14 UTC
Last modified on: 09/03/2024 20:35:15 UTC