CVE-2023-20212 & CVE-2023-20197: ClamAV Denial of Service Vulnerabilities

CVE-2023-20212

ClamAV is a free and open-source antivirus software used to scan for viruses, trojans, and other malware. However, two vulnerabilities have been found in ClamAV that could allow an attacker to cause a denial of service (DoS) condition on an affected device.

CVE-2023-20212

1. CVE-2023-20212 (CVSS score of 7.5): ClamAV AutoIt Module Denial of Service Vulnerability

The ClamAV Denial of Service (DoS) vulnerability, tagged as CVE-2023-20212 with a CVSS score of 7.5, raises eyebrows primarily due to its origin. Located within the AutoIt module of ClamAV, this vulnerability opens the door for unauthenticated, remote attackers to induce a DoS condition on affected devices.

The root cause? A seemingly innocuous logic error within memory management. With the vulnerability at play, all an attacker needs is a craftily designed AutoIt file. Once this file undergoes scanning by ClamAV on a compromised device, it can disrupt the ClamAV scanning process, forcing it to restart unexpectedly. This abrupt interruption culminates in a DoS scenario.

Impacted software includes the Secure Endpoint Connector for Windows, notably between Release 8.1.5.21322 and 8.1.7.21585, as well as the Secure Endpoint Private Cloud. Thankfully, a fixed version (3.8.0 or later with updated connectors) has been rolled out. As of now, the Cisco Product Security Incident Response Team (PSIRT) remains unaware of any public disclosures or malevolent usage concerning this vulnerability.

2. CVE-2023-20197 (CVSS score of 7.5): ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability

Diving deeper into the ClamAV abyss reveals another alarming vulnerability: the HFS+ File Scanning Infinite Loop Denial of Service Vulnerability, designated as CVE-2023-20197 and also presenting a CVSS score of 7.5.

This flaw emerges from the filesystem image parser dedicated to the Hierarchical File System Plus (HFS+). An incorrect verification during file decompression potentially results in an infinite loop, causing the software to hang indefinitely. Malevolent actors, armed with a deviously crafted HFS+ filesystem image, can exploit this flaw to halt the ClamAV scanning process entirely, leading not only to a DoS condition but also potentially consuming all available system resources.

Multiple versions of the software are affected, ranging from version 1.1.0 down to 0.103.0. Gratitude is due to Steve Smith for shedding light on this issue. The affected Cisco Software Platforms have been identified, and fixed versions have been released.

Affected Cisco Software Platform First Fixed Release
Secure Endpoint Connector for Linux 1.22.0
Secure Endpoint Connector for MacOS 1.22.0
Secure Endpoint Connector for Windows 7.5.13.21586
8.1.7.21585
Secure Endpoint Private Cloud 3.8.0 or later with updated connectors

It’s crucial to note that, for this vulnerability, the Cisco PSIRT acknowledges the existence of proof-of-concept exploit code. However, as with the previous flaw, no known malicious exploits have been reported.

Both of these vulnerabilities have been patched in recent releases of ClamAV. However, if you are using an older version of ClamAV, you are vulnerable to these attacks. To protect yourself, you should update to the latest version of ClamAV as soon as possible.