Cisco ClamAV anti-malware scanner vulnerable to serious security flaw

John Leyden 22 February 2023 at 14:23 UTC

A patch has been released to address a critical vulnerability affecting various technologies.

A significant security flaw found in a popular anti-malware scanning tool has posed serious risks to products from the networking giant Cisco.

This flaw, identified in the ClamAV library (designated as CVE-2023-20032), creates a severe threat for Cisco’s Secure Web Appliance along with multiple versions of Cisco Secure Endpoint, which encompass Windows, MacOS, Linux, and cloud deployments.

Cisco disseminated an advisory last week detailing the vulnerability and providing necessary patches for the affected products. While there are currently no active exploits targeting this flaw, the implementation of the patches is strongly advised.

The vulnerability linked to a partition scanning buffer overflow poses a significant risk across vulnerable technologies.

Stay updated with the latest in network security news and insights

According to Cisco’s security advisory, the fault in the HFS+ partition file parser of ClamAV enables the potential to introduce harmful code into either endpoint devices or susceptible instances of Cisco’s Secure Web Appliance.

This vulnerability arises due to an absent buffer size verification, which produces a risk of heap buffer overflow when scanning HFS+ partition files. An attacker may be able to generate a harmful partition file and submit it for scanning by ClamAV.

“An effective exploit could provide the attacker the means to execute arbitrary code with the privileges of the ClamAV scanning process or crash the process, leading to a denial of service (DoS) scenario,” as clarified in Cisco’s advisory.

Application Scenario

ClamAV, or Clam AntiVirus, is a free software toolkit designed for anti-malware purposes, initially developed for Unix. Cisco acquired this technology about a decade ago, and it has since been adapted for various operating systems, including Linux, macOS, and Windows.

One of the primary applications of ClamAV is serving as a server-side malware scanner for email systems.

However, Cisco has confirmed that its Secure Email Gateway and Secure Email and Web Manager appliances are unaffected by this specific security issue.

Oversight in Security

Any weakness in a security tool that allows unauthorized access to vulnerable devices underscores how solutions intended to enhance security can inadvertently expand the attack surface available to potential cyber threats.

The ClamAV flaw in the HFS+ partition file parser, along with a related remote information leak vulnerability (identified as CVE-2023-20052) in the DMG file parser, were uncovered by Google engineer Simon Scannell, who informed Cisco about these security issues in August.

A comprehensive technical advisory by Google, made available on GitHub, elaborates on the more severe CVE-2023-20032 vulnerability and its possible exploitation.

“We classify this vulnerability as high severity since the buffer overflow can be triggered when running a scan with CL_SCAN_ARCHIVE enabled, which is typically set by default in most configurations.

“This feature is usually employed to scan incoming emails on the backend of mail servers. Therefore, an external, unauthenticated attacker might exploit this vulnerability,” notes Cisco’s advisory.

A recent technical blog post by German cybersecurity firm ONEKEY posits that these two weaknesses within ClamAV exemplify the complexities and challenges of file format parsing.

ENJOYED THIS ARTICLE? Subscribe to our new newsletter – Daily Swig Deserialized