Cisco fixed critical RCE bug in ClamAV Open-Source Antivirus engine

Cisco addressed a critical vulnerability in the ClamAV open source antivirus engine that can lead to remote code execution on vulnerable devices.

Cisco fixed a critical flaw, tracked as CVE-2023-20032 (CVSS score: 9.8), in the ClamAV open source antivirus engine. The vulnerability resides in the residing in the HFS+ file parser component, an attacker can trigger the issue to gain remote code execution on vulnerable devices or trigger a DoS condition.

Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser.

The vulnerability affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. The company acknowledged Simon Scannell from Google for reporting this issue.

The vulnerability is a buffer overflow issue affecting the ClamAV scanning library, it is due to a missing buffer size check.

“This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device.” reads the advisory published by Cisco. “A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition.”

The vulnerability affects the following products:

Cisco Product	Cisco Bug ID	Fixed Release Availability
Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints, for Linux	CSCwd74133	1.20.2¹
Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints, for MacOS	CSCwd74134	1.21.1¹
Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints, for Windows	CSCwd74135	7.5.9 ¹ 8.1.5
Secure Endpoint Private Cloud	CSCwe18204	3.6.0 or later with updated connectors²
Secure Web Appliance, formerly Web Security Appliance	CSCwd74132	14.0.4-005 15.0.0-254

Secure Email Gateway, formerly Email Security Appliance, and Secure Email and Web Manager, formerly Security Management Appliance, are not impacted.

The IT giant says that there is not workaround for this vulnerability, the good news is that the company Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting this vulnerability.

Cisco also addressed another vulnerability, tracked as CVE-2023-20052, in the ClamAV engine. The flaw is a possible remote information leak vulnerability in the DMG file parser.

The vulnerability affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.

“This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device.” reads the advisory. “A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ClamAV)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.