CVE-2023-20032: Critical RCE vulnerability in ClamAV

ClamAV on Wednesday announced patches for two vulnerabilities across its open-source antivirus engine product, including a critical severity issue.

Tracked as CVE-2023-20032 with a CVSS score of 9.8, the critical bug exists because of improper bounds checking and could allow an attacker to trigger a buffer overflow by submitting a specially crafted HFS+ partition file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVE-2023-20032

ClamAV is an open-source (GPLv2) anti-virus toolkit, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner, and an advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of a shared library.

“This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition.” Cisco explains.

The flaw was addressed alongside a medium-severity XML external entity injection vulnerability (tracked as CVE-2023-20052), featuring a CVSS score of 5.3.

ClamAV is vulnerable to an XML external entity injection (XXE) attack when processing XML data, caused by enabling an XML entity substitution. By sending a specially crafted DMG file to be scanned, a remote attacker could exploit this vulnerability to view bytes from any file that may be read by the ClamAV scanning process.

In two advisories [1, 2], Cisco notes that these flaws affected products including Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints, for Linux, Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints, for MacOS, Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints, for Windows, Secure Endpoint Private Cloud, and Secure Web Appliance, formerly Web Security Appliance. Cisco also notes that it is not aware of the flaws being exploited in the wild.

ClamAV has released software updates (versions 0.103.8, 0.105.2, and 1.0.1) to address CVE-2023-20032 and CVE-2023-20052 and says that there are no workarounds available.