www.belgium.be Logo of the federal government

Warning - Critical vulnerability in ClamAV could lead to RCE

Reference: 
Advisory #2023-0019
Version: 
1.0
Affected software: 
ClamAV
v1.0.0 and earlier
v0.105.1 and earlier
v0.103.7 and earlier
Type: 
Unauthenticated RCE, Information disclosure
CVE/CVSS: 

CVE-2023-20032

CVE-2023-20052

Date: 
17/02/2023

Sources

ClamAV - https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

Risks

Successful exploitation of CVE-2023-20032 could allow an unauthenticated attacker to remotely execute code with the privileges of the ClamAV process.

Successful exploitation of CVE-2023-20052 could allow an unauthenticated attacker to leak bytes from any file that may be read by the ClamAV scanning process.

Description

ClamAV is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats. It is often integrated in other products such as NAS devices, mail gateways, ...

CVE-2023-20032 is a possible remote code execution vulnerability in the HFS+ file parser. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition.

CVE-2023-20052 is a possible remote information leak vulnerability in the DMG file parser. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.

Both issues affect versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Since ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy, it will not be patched.

Based on vendor information both CVEs are not exploited in the wild.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way:

Scope

If it does not exist yet, create an inventory that includes all the infrastructure from your organisation and check per entry if ClamAV is used. Note certain appliances might include a copy of ClamAV in their installation package.

Patch

ClamAV released the following critical patch versions for ClamAV:

0.103.8

0.105.2

1.0.1

Since ClamAV 0.104 has reached end-of-life, anyone using ClamAV 0.104 must switch to one of supported versions mentioned above.

Monitor/Detect

The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. The involved file types should not be observed in normal mail traffic for example.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.

References

 Cisco advisory - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdv...

 Cisco advisory - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdv...