ClamAV Vulnerable to WinRAR Code Execution (CVE-2023-40477) Vulnerability

In today’s rapidly advancing technological age, the safety and security of our digital data remains paramount. Anti-virus software is a staple in this defense mechanism, tirelessly working to identify and mitigate potential threats. One such vital player in the anti-virus world is ClamAV – the open-source toolkit, specifically tailored for e-mail scanning on mail gateways.

Recently, a potential vulnerability concerning ClamAV came into the spotlight. The flaw is linked with RARLAB’s WinRAR software and is designated as CVE-2023-40477. This security loophole allows adversaries to remotely execute arbitrary code.

At the root cause of this flaw lies a buffer overflow issue that occurs when processing recovery volume names in the archaic RAR 3.0 format. For the vulnerability to be exploited, a user needs to unpack a RAR file situated in the same directory as a REV file with a distorted name. WinRAR has addressed and resolved this flaw in its 6.23 version.

The root of concern stems from “UnRAR”, an open-source library created by WinRAR’s developers. ClamAV incorporates this library under the moniker “libclamunrar”. As ClamAV elucidated in a blog post, “We are concerned that ClamAV may be affected by CVE-2023-40477.”

Essentially, a potential attacker, by convincing an unsuspecting victim to open a carefully manipulated file, could exploit the vulnerability, giving them the ability to execute any code within the ongoing process’s context.

ClamAV versions 1.1.x prior to 1.1.2, 1.0.x prior to 1.0.3, and 0.103.x earlier than 0.103.10 are affected by this vulnerability. ClamAV versions 1.2.0 and 1.1.1, 1.0.2, 0.103.10 have been released to patch the vulnerability. Users of ClamAV should update to the latest version as soon as possible.