Cisco ClamAV anti-malware scanner vulnerable to serious security flaw

John Leyden 22 February 2023 at 14:23 UTC

A fix has been issued for a critical vulnerability affecting several technologies.

A significant security flaw within a popular anti-malware scanner presents a serious threat to various products from Cisco, a leading networking company.

The identified vulnerability in the ClamAV scanning library (known as CVE-2023-20032) poses a critical risk to Cisco’s Secure Web Appliance and multiple versions of Cisco Secure Endpoint, which encompass Windows, MacOS, Linux, and cloud variants.

Last week, Cisco issued a security advisory detailing the vulnerability and provided patches for affected products. While there are currently no active attacks exploiting this vulnerability, the company advises prompt patching.

The partition scanning buffer overflow vulnerability represents a significant threat to affected technologies.

Stay updated with the latest news and insights in network security

According to Cisco’s security advisory, the vulnerability in the HFS+ partition file parser within ClamAV could allow attackers to inject harmful code into endpoint devices or vulnerable instances of Cisco’s Secure Web Appliance.

This risk arises from the lack of a buffer size check, which leads to a heap buffer overflow when scanning HFS+ partition files. An attacker could potentially create a malicious partition file for ClamAV to scan.

“If successfully exploited, this could allow the attacker to run arbitrary code with the privileges of the ClamAV scanning process or crash it, leading to a denial of service (DoS) condition,” as stated in Cisco’s advisory.

Application of the Technology

ClamAV (Clam AntiVirus) is a free anti-malware toolkit originally created for Unix systems. Acquired by Cisco a decade ago, it has since been adapted to work on various operating systems including Linux, macOS, and Windows.

This technology is commonly utilized on mail servers, serving as a server-side malware detector in email.

However, Cisco has confirmed that its Secure Email Gateway and Secure Email and Web Manager appliances are not vulnerable to this specific security issue.

Who Ensures the Safety of Security Tools?

Any vulnerabilities within a security utility that allow potential attackers to gain access to affected devices highlight how security tools can inadvertently enlarge the attack surface for adversaries.

The flaw in ClamAV’s HFS+ partition file parser, along with a less critical remote information leak vulnerability (CVE-2023-20052) in the DMG file parser of the same technology, were uncovered by Google engineer Simon Scannell, who informed Cisco of the issues in ClamAV last August.

A GitHub advisory from Google provides a comprehensive technical overview of the more severe CVE-2023-20032 vulnerability and its possible exploitation scenarios.

“We classify this vulnerability as high severity since the buffer overflow can be triggered when scanning with CL_SCAN_ARCHIVE enabled, which is typically the default setting in most configurations.

“This feature is generally used to scan incoming emails on backend mail servers, allowing a remote, external, unauthenticated attacker to exploit this vulnerability,” Cisco’s advisory elaborates.

A technical blog post from German cybersecurity firm ONEKEY concludes that the two vulnerabilities in ClamAV demonstrate the complexities and challenges associated with file format parsing.

ENJOYED THIS ARTICLE? Subscribe to our new newsletter – Daily Swig Deserialized