ClamAV Open Source antivirus software RCE vulnerability (CVE-2023-20032)

Advisory No: TZCERT/SA/2023/02/17

Date of First Release: 17^th February 2023

Source: CISCO

Software Affected:  ClamAV: 0.103.8,0.105.2 and 1.0.1

Overview:

Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices. This vulnerability could allow attackers to take control of a affected system.

Description:

The vulnerability, tracked as CVE-2023-20032 (CVSS score: 9.8), is caused by a buffer overflow in the HFS+ file parser. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. 

A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition.

This vulnerability is vulnerability affects the following products:-

• Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints (Windows, macOS, and Linux)
• Secure Endpoint Private Cloud, and
• Secure Web Appliance, formerly Web Security Appliance

Impact:

Successful exploitation of this vulnerability may allow the attacker to control of the affected system.

Solution:

CISCO has released a patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

1. https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
2. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy