John Leyden 22 February 2023 at 14:23 UTC
A patch has been released addressing a significant vulnerability that could endanger several technologies.
A security vulnerability in a bundled anti-malware scanning product has created a serious risk for various Cisco products. Specifically, a vulnerability in the ClamAV scanning library (identified as CVE-2023-20032) poses a significant security threat to Cisco’s Secure Web Appliance and various iterations of Cisco Secure Endpoint across Windows, macOS, Linux, and cloud environments.
Last week, Cisco issued an advisory concerning this vulnerability and released patches for impacted products. Although there have been no active attacks exploiting this vulnerability, it is still advisable to apply the patches.
The partition scanning buffer overflow vulnerability is considered highly critical to susceptible technologies.
Stay updated with the latest in network security news and analysis
According to Cisco’s security advisory, the vulnerability within the HFS+ partition file parser of ClamAV enables attackers to potentially inject malicious code into susceptible endpoint devices or Cisco’s Secure Web Appliance.
This issue originates from a missing buffer size check, resulting in a heap buffer overflow during the scanning of HFS+ partition files. An attacker could craft a malicious partition file for scanning by ClamAV.
A successful exploitation could allow attackers to execute arbitrary code with the privileges of the ClamAV scanning process or crash the process, leading to a denial of service (DoS) situation, as explained in Cisco’s advisory.
Use case
ClamAV (Clam AntiVirus) is an open-source anti-malware toolkit originally designed for Unix. Acquired by Cisco a decade ago, it has been adapted to operate on multiple platforms including Linux, macOS, and Windows.
One main application of this technology is on mail servers, used as a server-side malware-in-email scanner.
However, Cisco has confirmed that neither its Secure Email Gateway nor its Secure Email and Web Manager appliances are affected by this vulnerability.
Who protects the protectors?
Any flaw in a security utility that enables potential attackers to infiltrate affected devices underscores how tools meant to enhance security might inadvertently expand the attack surface accessible to malicious entities.
The security flaw in ClamAV’s HFS+ partition file parser, combined with a lesser remote information leak vulnerability (tracked as CVE-2023-20052) in the DMG file parser, was identified by Google engineer Simon Scannell. Google alerted Cisco regarding the security vulnerabilities present in ClamAV last August.
A detailed advisory by Google, available on GitHub, provides comprehensive technical insights into the critical CVE-2023-20032 vulnerability and how it may be exploited.
“The vulnerability is rated high severity since the buffer overflow can be activated when a scan is performed with CL_SCAN_ARCHIVE enabled, which is typically turned on by default in most setups.
“This feature is mainly used for scanning incoming emails on the backend of mail servers, allowing unauthorized external attackers to trigger this vulnerability,” Cisco’s advisory clarifies.
A technical blog post by the German cybersecurity firm ONEKEY concludes that the two flaws within ClamAV demonstrate the complexities and challenges involved in file format parsing.
ENJOYED THIS ARTICLE? Subscribe to our new newsletter – Daily Swig Deserialized
Based on an article from portsweigger.net: https://portswigger.net/daily-swig/cisco-clamav-anti-malware-scanner-vulnerable-to-serious-security-flaw
