CVE-2020-26759 – CVE-2020-26759 is a critical buffer overflow vu... (How to Fix)

Q: What is the severity of CVE-2020-26759?

CVE-2020-26759 has a CVSS score of 9.8 (CRITICAL). CVE-2020-26759 is a critical buffer overflow vulnerability in clickhouse-driver that allows a malicious ClickHouse server to crash client applications or execute arbitrary code on client systems. This affects any application using vulnerable versions of the clickhouse-driver library to connect to ClickHouse databases. The vulnerability is triggered by specially crafted server responses.

📋 TL;DR

CVE-2020-26759 is a critical buffer overflow vulnerability in clickhouse-driver that allows a malicious ClickHouse server to crash client applications or execute arbitrary code on client systems. This affects any application using vulnerable versions of the clickhouse-driver library to connect to ClickHouse databases. The vulnerability is triggered by specially crafted server responses.

💻 Affected Systems

Products:

clickhouse-driver

Versions: All versions before 0.1.5

Operating Systems: All operating systems where clickhouse-driver is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using clickhouse-driver to connect to ClickHouse databases is vulnerable regardless of configuration.

📦 What is this software?

Clickhouse Driver by Clickhouse Driver Project

View all CVEs affecting Clickhouse Driver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on client systems, potentially leading to full compromise of client machines and lateral movement within networks.

🟠

Likely Case

Client application crashes leading to denial of service and potential data loss or corruption in applications relying on ClickHouse connectivity.

🟢

If Mitigated

Limited impact if clients only connect to trusted ClickHouse servers and have proper network segmentation.

🌐 Internet-Facing: HIGH - Clients connecting to untrusted or compromised ClickHouse servers over the internet are at significant risk.

🏢 Internal Only: MEDIUM - Risk exists but can be mitigated by controlling ClickHouse server access and implementing network segmentation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires a malicious or compromised ClickHouse server, but no authentication is needed on the client side once connection is established.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.5 and later

Vendor Advisory: https://github.com/mymarilyn/clickhouse-driver/commit/3e990547e064b8fca916b23a0f7d6fe8c63c7f6b

Restart Required: Yes

Instructions:

1. Identify applications using clickhouse-driver. 2. Update clickhouse-driver to version 0.1.5 or later using pip: 'pip install --upgrade clickhouse-driver>=0.1.5'. 3. Restart all applications using the updated library.

🔧 Temporary Workarounds

Restrict ClickHouse Server Connections

all

Configure clients to only connect to trusted, verified ClickHouse servers

Network Segmentation

all

Implement network controls to prevent clients from connecting to untrusted ClickHouse servers

🧯 If You Can't Patch

Implement strict network segmentation to ensure clients only connect to trusted, internal ClickHouse servers
Monitor for unusual behavior in ClickHouse client applications and implement application-level firewalls

🔍 How to Verify

Check if Vulnerable:

Check clickhouse-driver version in Python environment: 'pip show clickhouse-driver' or check requirements.txt/pipfile.lock for version <0.1.5

Check Version:

pip show clickhouse-driver | grep Version

Verify Fix Applied:

Verify clickhouse-driver version is 0.1.5 or higher: 'pip show clickhouse-driver | grep Version' should show 0.1.5+

📡 Detection & Monitoring

Log Indicators:

Unexpected crashes of ClickHouse client applications
Memory access violation errors in application logs
Abnormal termination of processes using clickhouse-driver

Network Indicators:

Connections from clients to untrusted or external ClickHouse servers
Unusual network patterns from ClickHouse server to clients

SIEM Query:

source="application_logs" AND ("clickhouse-driver" OR "clickhouse") AND ("crash" OR "segmentation fault" OR "buffer overflow" OR "access violation")

📊 Metadata

CVE ID: CVE-2020-26759

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: January 6, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/mymarilyn/clickhouse-driver/commit/3e990547e064b8fca916b23a0f7d6fe8c63c7f6b Patch,Third Party Advisory
https://github.com/mymarilyn/clickhouse-driver/commit/d708ed548e1d6f254ba81a21de8ba543a53b5598 Patch,Third Party Advisory
https://github.com/mymarilyn/clickhouse-driver/commit/3e990547e064b8fca916b23a0f7d6fe8c63c7f6b Patch,Third Party Advisory
https://github.com/mymarilyn/clickhouse-driver/commit/d708ed548e1d6f254ba81a21de8ba543a53b5598 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26759, you might also want to check these: