Let's Talk

A Major Remote Code Execution Vulnerability Has Been Found in ClamAV Open Source Antivirus Software, Exposing Users to Unforeseen Security Risks.

Updated Fri, April 14, 2023 4:43 EST

Cisco has taken steps to protect its customers from a serious breach that was uncovered in the open-source antivirus engine, ClamAV. Dubbed CVE-2023-20032 (CVSS score: 9.8), this vulnerability can enable malicious actors to execute arbitrary code on vulnerable devices by exploiting an issue within the HFS+ file parser component.

In versions 1.0.0 and prior, 0.105.1 and earlier, as well as 0.103.7 or before this security issue was uncovered by Google Security Engineering Simon Scannell - a discovery that has been duly noted in the developing world already! "This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write," Cisco Talos said in an advisory. "An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device."

By capitalizing on the vulnerability, an adversary could achieve complete system control with identical privileges as the ClamAV scanning process or even crash it, leaving you open to a denial-of-service (DoS) attack.

According to the networking equipment, these products are exposed and open to potential threats:

  • Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints (Windows, macOS, and Linux)
  • Secure Endpoint Private Cloud, and
  • Secure Web Appliance, formerly Web Security Appliance

This further established that the vulnerability does not affect Secure Email Gateway (formerly known as Email Security Appliance) and Secure Email and Web Manager (originally called Security Management Appliance) products.

Cisco recently issued a patch for a remote information leak vulnerability (CVE-2023-20052, CVSS score: 5.3) present in ClamAV's DMG file parser which could be exploited by an unauthenticated outsider. "This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection," Cisco noted. "An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device."

It's noteworthy that CVE-2023-20052 does not have an effect on Cisco Secure Web Appliance. Nonetheless, all the vulnerabilities were fixed in ClamAV versions 0.103.8, 0.105.2 and 1.0.1.. In addition to this, Cisco also resolved a Denial of Service (DoS) vulnerability affecting Nexus Dashboard (CVE-2023-20014 with CVSS score: 7)

Get the latest news, invites to events, and threat alerts

We’re remote friendly, with office in Miami: Miami

Get the latest news, invites to events, and threat alerts