CVE-2020-26273: 
OSQuery vulnerability analysis and mitigation

CVE-2020-26273 is a security vulnerability in osquery that allows unauthorized filesystem access through SQLite's ATTACH command. The vulnerability was discovered and disclosed in December 2020, affecting osquery versions prior to 4.6.0. The vulnerability allows users with administrative access to osquery to perform reads and writes to arbitrary SQLite databases on disk (GitHub Advisory).

The vulnerability is classified as CWE-77 (Command Injection) and received a Moderate severity rating. The issue stems from the improper handling of SQLite's ATTACH verb, which could be exploited to create or modify SQLite database files on the system. While the vulnerability allows for file creation, it is limited to SQLite database files and cannot overwrite existing non-SQLite files (GitHub Advisory).

The impact of this vulnerability allows attackers with administrative access to osquery to create and modify SQLite database files anywhere on the system where they have write permissions. While this does enable arbitrary SQLite database file creation, it notably cannot be used to overwrite existing non-SQLite files. This limitation somewhat constrains the potential damage, but still presents a security risk in terms of data manipulation and storage (GitHub Advisory).

The vulnerability was patched in osquery version 4.6.0 through the implementation of an SQLite authorizer that mitigates CVE-2020-26273. For deployments unable to update immediately, several workarounds are available: running osquery as a non-root user, using central management tools to filter for the ATTACH keyword, or implementing specific deployment configurations based on security requirements (GitHub Release, GitHub Advisory).