Critical RCE Vulnerability Discovered in ClamAV Open Source Antivirus Software

Feb 17, 2023Ravie LakshmananSysadmin / Endpoint Security

Cisco has rolled out security updates to address a critical flaw
reported in the ClamAV open source antivirus engine that could lead
to remote code execution on susceptible devices.

Tracked as CVE-2023-20032^[1]
(CVSS score: 9.8), the issue relates to a case of remote code
execution residing in the HFS+ file parser component.

The flaw affects versions 1.0.0 and earlier, 0.105.1 and
earlier, and 0.103.7 and earlier. Google security engineer Simon
Scannell has been credited with discovering and reporting the
bug.

“This vulnerability is due to a missing buffer size check that
may result in a heap buffer overflow write,” Cisco Talos said^[2]
in an advisory. “An attacker could exploit this vulnerability by
submitting a crafted HFS+ partition file to be scanned by ClamAV on
an affected device.”

Successful exploitation of the weakness could enable an
adversary to run arbitrary code with the same privileges as that of
the ClamAV scanning process, or crash the process, resulting in a
denial-of-service (DoS) condition.

The networking equipment said the following products are
vulnerable –

• Secure Endpoint, formerly Advanced Malware Protection (AMP) for
  Endpoints (Windows, macOS, and Linux)
• Secure Endpoint Private Cloud, and
• Secure Web Appliance, formerly Web Security Appliance

It further confirmed that the vulnerability does not impact
Secure Email Gateway (formerly Email Security Appliance) and Secure
Email and Web Manager (formerly Security Management Appliance)
products.

Also patched by Cisco is a remote information leak vulnerability
in ClamAV’s DMG file parser (CVE-2023-20052, CVSS score: 5.3) that
could be exploited by an unauthenticated, remote attacker.

“This vulnerability is due to enabling XML entity substitution
that may result in XML external entity injection,” Cisco noted^[3]. “An attacker could
exploit this vulnerability by submitting a crafted DMG file to be
scanned by ClamAV on an affected device.”

It’s worth pointing out that CVE-2023-20052 does not affect
Cisco Secure Web Appliance. That said, both vulnerabilities have
been addressed in ClamAV versions 0.103.8, 0.105.2, and 1.0.1.

Cisco separately also resolved a denial-of-service (DoS)
vulnerability impacting Cisco Nexus Dashboard (CVE-2023-20014^[4], CVSS score: 7.5) and
two other privilege escalation and command injection flaws in Email
Security Appliance (ESA) and Secure Email and Web Manager (CVE-2023-20009 and CVE-2023-20075^[5], CVSS scores: 6.5).