11.Locks IsometricPattern

Two critical flaws were recently found in the ClamAV open-source antivirus engine that could lead to remote code execution (RCE) and remote information leakage on susceptible devices. ClamAV has now released patch versions addressing these dangerous vulnerabilities. This article will discuss the issues discovered, who is impacted, and how to protect against these bugs.

 The Discovery & The Impact

The first issue found in ClamAV is a RCE vulnerability in the HFS+ file parser (CVE-2023-20032). The flaw, which received a CVSS score of 9.8 out of 10 in the National Vulnerability Database, affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. According to Cisco Talos, “This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device.” By successfully exploiting this bug, an attacker could run arbitrary code with the same privileges as that of the ClamAV scanning process, or crash the process, resulting in a denial-of-service (DoS) condition.

The second issue discovered is a remote information leakage vulnerability in the DMG file parser (CVE-2023-20052). The bug affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Cisco Talos notes, “This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device."

What Can I Do to Protect Against These Bugs?

Clamav LogoClamAV has released patch versions 0.103.8, 0.105.2 and 1.0.1, which mitigate these flaws. Fedora and Debian LTS have also issued a security advisory for these vulnerabilities. ClamAV states, “All users should update as soon as possible to patch for two remote code execution vulnerabilities that we recently discovered and patched.”

The release files are available for download on ClamAV.net, on the Github Release page, and through Docker Hub.

We urge all users to update now to protect against attacks leading to compromise and prevent unauthorized disclosure of sensitive information. 

Be sure to register as a LinuxSecurity user, then subscribe to our Linux Advisory Watch newsletter and customize your advisories for the distro(s) you use to stay up-to-date on the latest, most significant issues impacting the security of your systems.