ClamAV Bugs Expose Users to Command Injection (CVE-2024-20328) and DoS Attacks (CVE-2024-20290)

Recently, Cisco revealed critical vulnerabilities lurking within ClamAV, a widely used open-source antivirus engine. With the potential to wreak havoc across endpoints, cloud services, and web security infrastructure, these vulnerabilities demand immediate attention and action.

ClamAV, celebrated for its versatility and reliability, stands as a stalwart defender in the realm of cybersecurity. Employed in various scenarios, from email and web scanning to endpoint security, its arsenal of utilities includes a potent multi-threaded daemon, a command-line scanner, and an automated database update tool. However, beneath its protective veneer lies a vulnerability that threatens to compromise the integrity of systems worldwide.

CVE-2024-20328 &

On February 7th, ClamAV’s developers issued critical patches addressing two vulnerabilities within the library, one of which poses the gravest risk: a command injection vulnerability designated as CVE-2024-20328. Nestled within ClamAV’s ClamD service, this flaw casts a shadow over versions ranging from 0.104 to 1.2.1, presenting a pathway for remote code execution.

The exploit hinges on the “VirusEvent” feature, where an attacker could manipulate the ‘%f’ format string parameter to inject malicious commands. To counter this threat, developers took swift action, disabling the ‘%f’ parameter and urging administrators to utilize the `CLAM_VIRUSEVENT_FILENAME` environment variable cautiously.

Another flaw, CVE-2024-20290, with a CVSS score of 7.5 is described as a possible heap overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition. Afflicting versions 1.0.0 through 1.2.1, this vulnerability can trigger a denial-of-service (DoS) scenario, disrupting ClamAV’s scanning process and draining system resources.

Cisco, cognizant of the severity of these vulnerabilities, swiftly identified impacted products, including Secure Endpoint Connector for Windows and Secure Endpoint Connector for Linux. Notably spared from the fray are Firepower Threat Defense (FTD) Software, Secure Email Gateway, and Secure Web Appliance, among others.

ClamAV 1.2.2 and ClamAV 1.0.5 were released to patch both CVE-2024-20328 & CVE-2024-20290 flaws.

Despite the gravity of the situation, Cisco reassures users, stating no evidence of exploitation in the wild has been found. The absence of exploitation does not diminish the urgency of remediation efforts.

In the face of these vulnerabilities, proactive measures are paramount. Organizations must heed Cisco’s warnings, promptly applying patches and implementing safeguards to fortify their defenses.