RCE vulnerability found in ClamAV open-source antivirus software
A critical Remote Code Execution (RCE) vulnerability in a popular software library used by a wide range of applications has been discovered by researchers. The CVE-2023-20032 vulnerability (CVSS score: 9.8) exists in the HFS+ partition file parser of various versions of ClamAV, a free cross-platform antimalware toolkit maintained by Cisco Talos. However, none of the flaws are actively exploited.
“This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition,” Cisco explained.
The problem is caused by remote code execution in the HFS+ file parser component. Versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier are all affected. The bug was discovered and reported by Google security engineer Simon Scannell.
To exploit it, attackers must first obtain valid user credentials, but once they do, they can use the flaws to elevate their privileges to root and execute arbitrary commands on an affected device. A proof-of-concept exploit for both is available, though it is unclear whether it is online or not.
The other flaw, CVE-2023-20052 (CVSS score of 5.3), is an XML external entity (XXE) injection that can be triggered by submitting crafted DMG files for scanning, resulting in bytes leakage from files read by ClamAV. Secure Endpoint (formerly Advanced Malware Protection, AMP), Secure Endpoint Private Cloud, and Secure Web Appliance are also affected Cisco products (formerly Web Security Appliance).
Secure Email Gateway (formerly Email Security Appliance) and Secure Email and Web Manager (formerly Security Management Appliance) products are not affected by the vulnerability.
Cisco has since issued updates that address the vulnerability, as well as patches for high-severity issues in Nexus Dashboard software and Secure Email Gateway.
The sources for this piece include an article in TheHackerNews.