ClamAV Issues Urgent Patch for High-Risk DoS Vulnerability CVE-2024-20380

The ClamAV development team has released urgent security patches for its popular open-source antivirus software. The patches address a high-severity vulnerability, designated CVE-2024-20380 (CVSS 7.5), that could allow unauthenticated, remote attackers to crash ClamAV services, causing a Denial-of-Service (DoS) condition.

What is ClamAV?

ClamAV is a widely used, cross-platform antivirus engine designed to detect various malware threats. It’s deployed in numerous email gateways, web scanners, endpoint security solutions, and by individuals alike.

The Vulnerability: How it Works

The vulnerability (CVE-2024-20380) resides within ClamAV’s HTML parser. A specially crafted malicious file, designed to exploit weaknesses in how ClamAV processes HTML, could trigger a crash within the scanning process. This would effectively stop ClamAV from operating, leaving systems vulnerable.

Affected Versions:

Only ClamAV version 1.3.0 is affected. Earlier versions, including those in the 1.2.x and 1.0.x branches, are not vulnerable to this specific exploit.

Mitigation: Update Now!

The critical nature of this vulnerability demands immediate action. Users of ClamAV 1.3.0 must update to the patched version 1.3.1 as soon as possible. Updates for the 1.2.x and 1.0.x branches have also been released (1.2.3 and 1.0.6 respectively) to address other stability issues and potential weaknesses:

• Updated Rust Dependencies: The patch updates select Rust dependencies to the latest versions, which resolves issues flagged by Cargo audits and includes critical fixes to the PNG parser.
• Character Encoding Fixes: A correction has been made to prevent the truncation of text when converting from UTF-16, ensuring better handling of different character encodings.
• Static Analysis Improvements: The release addresses assorted complaints raised by Coverity static analysis, enhancing the code quality and reliability of ClamAV.
• Database Handling Updates: Fixes a bug related to the DatabaseCustomURL configuration in Freshclam, which previously led to unnecessary pruning and re-downloading of ClamAV databases (CVDs) with every update.
• Future-Proofing: Introduction of the ‘valhalla’ database name to the list of optional databases, preparing for future enhancements and feature additions.
• Enhanced Build Configurations: Additional symbols have been added to the libclamav.map file, enabling more versatile build configurations.

Where to Obtain Updates

Users can download the latest patched versions from the following sources:

• ClamAV Downloads Page: https://www.clamav.net/downloads
• GitHub Release Page: https://github.com/Cisco-Talos/clamav/releases
• Docker Hub: https://hub.docker.com/r/clamav/clamav/