ClamAV Open-Source Antivirus Software at Risk Due to Critical RCE Vulnerability

ClamAV, an open-source antivirus engine, has been found to have a critical remote code execution vulnerability.

The flaw was discovered by Google security engineer Simon Scannell and has been tracked as CVE-2023-20032 with a high CVSS score of 9.8. The issue is located in the HFS+ file parser component, affecting several versions of ClamAV, including 0.103.7 and earlier, 0.105.1 and earlier, and 1.0.0 and earlier. Cisco, the networking equipment company, has rolled out security updates to address the vulnerability.

According to Cisco Talos, the flaw occurs because of a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on a device that is susceptible to the flaw. If successfully used, an adversary can run arbitrary code with the same privileges as the ClamAV scanning process or crash the process, leading to a denial-of-service (DoS) condition.

Cisco confirmed that several of its products, such as Secure Endpoint, Secure Endpoint Private Cloud, and Secure Web Appliance, were vulnerable to the flaw. However, the vulnerability does not impact Secure Email Gateway and Secure Email and Web Manager products.

Additionally, Cisco has patched another vulnerability in ClamAV’s DMG file parser, tracked as CVE-2023-20052, which an unauthenticated, remote attacker could exploit. This flaw enables XML entity substitution, which may result in XML external entity injection. If a crafted DMG file is submitted to ClamAV on an affected device, an attacker could exploit this vulnerability.

It is important to note that CVE-2023-20052 does not impact Cisco Secure Web Appliance. However, Cisco has addressed both vulnerabilities in ClamAV versions 0.105.2, 0.103.8, and 1.0.1.

In addition to the above, Cisco has resolved a denial-of-service (DoS) vulnerability impacting Cisco Nexus Dashboard (CVE-2023-20014, CVSS score: 7.5), as well as two privilege escalation and command injection flaws in Email Security Appliance (ESA) and Secure Email and Web Manager (CVE-2023-20009 and CVE-2023-20075, CVSS scores: 6.5).