CVE-2024-57646

Vulnerability

The bug resides in the psiginfo component of OpenLink Virtuoso Open-Source v7.2.11. A specially crafted SQL statement (an UPDATE with a subquery containing arithmetic, string operations, and GROUP BY with HAVING) triggers a segmentation fault in the psiginfo function, as shown by the backtrace [1]. The issue is reproducible on the official Docker image pkleef/virtuoso-opensource-7 [1].

Exploitation

An attacker needs network access to a running Virtuoso instance and must be able to execute arbitrary SQL statements (e.g., using isql). The attack involves sending a single crafted SQL statement such as:

CREATE TABLE v0 ( v2 INT , v1 VARCHAR(80) PRIMARY KEY ) ;
UPDATE v0 SET v1 = 'abcf%' WHERE v1 IN ( SELECT 18018 / 6 FROM v0 WHERE v2 = '%n' GROUP BY '%H:%M:%f' HAVING v2 < 64 ) ;

No authentication is required beyond what the server exposes; the fuzzer PoC connects via isql with the default dba password [1].

Impact

Successful exploitation causes the database server to crash, resulting in a denial of service (DoS). The crash is a segmentation fault in the psiginfo function, as evidenced by the backtrace [1]. No data corruption or unauthorized access is reported.

Mitigation

As of the publication date, no fix has been released for OpenLink Virtuoso v7.2.11 [1]. Users should restrict network access to the Virtuoso instance and monitor for unusual SQL statements. The issue is not listed in CISA's Known Exploited Vulnerabilities catalog. The only available workaround is to limit exposure and apply any future patches from the vendor.