Warning - Critical vulnerability in ClamAV could lead to RCE
CVE-2023-20032
CVE-2023-20052
Sources
ClamAV - https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
Risks
Successful exploitation of CVE-2023-20032 could allow an unauthenticated attacker to remotely execute code with the privileges of the ClamAV process.
Successful exploitation of CVE-2023-20052 could allow an unauthenticated attacker to leak bytes from any file that may be read by the ClamAV scanning process.
Description
ClamAV is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats. It is often integrated in other products such as NAS devices, mail gateways, ...
CVE-2023-20032 is a possible remote code execution vulnerability in the HFS+ file parser. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition.
CVE-2023-20052 is a possible remote information leak vulnerability in the DMG file parser. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.
Both issues affect versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Since ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy, it will not be patched.
Based on vendor information both CVEs are not exploited in the wild.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way:
Scope
If it does not exist yet, create an inventory that includes all the infrastructure from your organisation and check per entry if ClamAV is used. Note certain appliances might include a copy of ClamAV in their installation package.
Patch
ClamAV released the following critical patch versions for ClamAV:
0.103.8
0.105.2
1.0.1
Since ClamAV 0.104 has reached end-of-life, anyone using ClamAV 0.104 must switch to one of supported versions mentioned above.
Monitor/Detect
The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. The involved file types should not be observed in normal mail traffic for example.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.
References
Cisco advisory - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdv...
Cisco advisory - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdv...