External risk intelligence

SurrealDB Format String Vulnerability Allows Memory Read and Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2024-58366

SurrealDB is a database often deployed in network-accessible environments. However, the vulnerability specifically requires an attacker to already possess scripting privileges, meaning exposure is not simply a matter of reaching an internet-facing endpoint, but also requires authentication and specific authorization levels within the application.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A format string vulnerability has been identified in SurrealDB when scripting is enabled. This issue could allow an attacker with existing scripting privileges to potentially read arbitrary memory or execute code, impacting the integrity and confidentiality of the database process. The primary concern is confirming if our environment utilizes SurrealDB with scripting enabled.

  • Vulnerability allows unauthorized memory access or code execution.
  • Potentially affects data integrity and process control.
  • Confirm SurrealDB scripting usage and relevance.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by first gaining scripting privileges within SurrealDB. Once authenticated and authorized for scripting, they could then submit specially crafted error messages containing format string sequences. If the scripting feature is enabled, these malicious inputs could be processed by the vulnerable function, potentially leading to the disclosure of sensitive information or the execution of arbitrary code with the privileges of the SurrealDB process.

  • Entry: Scripting privileges required.
  • Trigger: Format strings in error inputs.
  • Risk: Read memory or execute code.

Live Threat

Current exploitation, exposure, and threat context

When scripting is enabled, a format string vulnerability in SurrealDB could allow an attacker with existing scripting privileges to read arbitrary memory or execute code within the SurrealDB process. This is possible when format string sequences are supplied in error inputs.

  • System memory and code execution.
  • Supplying format string sequences in error inputs.
  • Unauthorized code execution and data access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability requires attackers to have scripting privileges within SurrealDB, indicating that application owners and platform teams are likely the primary points of contact. The first practical step is to identify all SurrealDB instances, confirm their network accessibility and business criticality, and then determine the accountable owner before planning remediation.

  • Application owners to manage the issue.
  • Verify scripting privilege access.
  • Plan remediation based on criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is SurrealDB?

SurrealDB is a multi-model database designed for web, mobile, and server-side applications. It supports advanced features like embedded scripting to handle complex data operations and logic directly within the database environment, making it a flexible choice for developers building modern, distributed applications.

What does CWE-134 mean for CVE-2024-58366?

CWE-134 refers to an Uncontrolled Format String weakness. In this context, it means that if the software takes user-provided input and treats it as a command for formatting text without proper validation, an attacker can manipulate the program's behavior. This vulnerability allows the input to be interpreted as instructions, potentially granting access to system memory or allowing the execution of unauthorized commands.

How can an attacker trigger this vulnerability?

An attacker triggers the flaw by injecting specific format string sequences into error inputs, but this only works if they already have scripting privileges within the database. The vulnerability remains dormant if scripting features are disabled, as the vulnerable function responsible for throwing exceptions would not be reached in the same way.

Do I need to worry if my SurrealDB is internet-facing?

While internet-facing instances are generally higher risk, Halo Surface Signal notes that reachability is not the only factor. Because the vulnerability requires existing scripting privileges, an attacker must first successfully authenticate and obtain specific authorization levels within the application before they can leverage this issue.

What should I do if I use SurrealDB?

First, conduct an inventory of all SurrealDB instances in your environment to identify which are currently in use. Determine if the scripting feature is enabled on these servers, as this is the primary requirement for the vulnerability to be active. Coordinate with your application owners to prioritize these instances for updates or configuration changes.

References