Headline
CVE-2023-20197: Cisco Security Advisory: ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability
A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources. For a description of this vulnerability, see the ClamAV blog .
For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Releases
Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s):
Affected Cisco Software Platform
First Fixed Release
Secure Endpoint Connector for Linux
1.22.01
Secure Endpoint Connector for MacOS
1.22.01
Secure Endpoint Connector for Windows
7.5.13.215861
8.1.7.215851Secure Endpoint Private Cloud
3.8.0 or later with updated connectors2
1. Updated releases of Cisco Secure Endpoint Connector are available through the Cisco Secure Endpoint portal. Depending on the configured policy, Cisco Secure Endpoint Connector will automatically update.
2. Affected releases of Cisco Secure Endpoint Connector clients for Cisco Secure Endpoint Private Cloud have been updated in the connectors repository. Customers will get these connector updates through normal content update processes.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
Related news
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.
Ubuntu Security Notice 6303-2 - USN-6303-1 fixed a vulnerability in ClamAV. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. It was discovered that ClamAV incorrectly handled parsing HFS+ files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.
Ubuntu Security Notice 6303-1 - It was discovered that ClamAV incorrectly handled parsing HFS+ files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.