Cisco ClamAV anti-malware scanner vulnerable to serious security flaw

John Leyden 22 February 2023 at 14:23 UTC

Patch released for bug that poses a critical risk to vulnerable technologies

A security flaw in a bundle anti-malware scanner product has created a serious security risk for some products from networking giant Cisco.

More particularly, a vulnerability in the ClamAV scanning library (tracked as CVE-2023-20032) created a critical security risk for Cisco’s Secure Web Appliance as well as various versions of Cisco Secure Endpoint (including Windows, MacOS, Linux, and cloud).

Cisco released an advisory on the vulnerability – alongside patches for affected products – last week. Although the vulnerability is not under active attack, patching is nonetheless recommended.

The partition scanning buffer overflow vulnerability poses a critical risk to vulnerable technologies.

Catch up with the latest network security news and analysis

As explained in Cisco’s security advisory, a vulnerability in the HFS+ partition file parser of ClamAV creates a mechanism to push malicious code onto either endpoint devices or vulnerable instances of Cisco’s Secure Web Appliance.

The vulnerability, which stems from an absent buffer size check, creates a heap buffer overflow risk in scanning HFS+ partition file. An attacker might be able to create a malicious partition file before offering it up for scanning by ClamAV.

“A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition,” Cisco’s advisory explains.

Use case

ClamAV (Clam AntiVirus) is a free software, anti-malware toolkit originally developed for Unix. The technology - acquired by Cisco through an acquisition 10 years ago, has been ported to run on various operating systems including Linux, macOS, and Windows.

One of the main use cases for the technology is on mail servers as a server-side malware-in-email scanner.

However, Cisco has confirmed that neither its Secure Email Gateway nor its Secure Email and Web Manager appliances are vulnerable to this particular security bug.

Who guards the guards?

Any vulnerability in a security utility that allows potential miscreants to hack into affected devices show how tools designed to increase security can increase the attack surface exposed to potential attackers.

The security flaw in ClamAV’s HFS+ partition file parser, along with lesser a remote information leak vulnerability (tracked as CVE-2023-20052) in the DMG file parser of the same technology, were both discovered by Google engineer Simon Scannell. Google notified Cisco about security bugs in ClamAV last August.

An advisory by Google, posted on GitHub, offers a full technical run-down of the more serious CVE-2023-20032 vulnerability and its potential exploitation.

“We rate the vulnerability as high severity as the buffer overflow can be triggered when a scan is run with CL_SCAN_ARCHIVE enabled, which is enabled by default in most configurations.

“This feature is typically used to scan incoming emails on the backend of mail servers. As such, a remote, external, unauthenticated attacker can trigger this vulnerability,” Cisco’s advisory explains.

A technical blog post by German cybersecurity vendor ONEKEY concludes that the two flaws in ClamAV illustrate that “file format parsing is a difficult and complex endeavor”.

LIKED THIS ARTICLE? Sign up to our new newsletter – Daily Swig Deserialized