ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability

[SynSyn]

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed:

A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to execute arbitrary code.

This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition.

For a description of this vulnerability, see the ClamAV blog.

CVE:  CVE-2023-20032

Source:  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy

[SynSyn]

According to the advisory, the version of ClamAV included with Immunet is vulnerable.  Is there any news on an update for Immunet?

[ritchie58]

Hi SynSyn,

Thanks for bringing this buffer overflow vulnerability with ClamAV to my attention! I am familiar with this type of software zero-day vulnerability that if detected, and not fixed right away, can sometimes be exploited for nefarious purposes. 

The newest 7.5.8 version of Immunet does use the older 0.103.5.26 source code of ClamAV.

Immunet is not included in the list of affected products by Cisco however, just primarily Immunet's enterprise version called Secure Endpoint seems to be affected & a few other products. Even though Immunet is not listed that doesn't mean that the ClamAV module is not affected in my opinion.

If a Immunet user has the ClamAV module and updates for it enabled in Settings a bug fix could be automatically installed but I'm not certain that has taken place.

What I'll do is inform an Admin who works directly with the Immunet development team and inform him of this issue as soon as I post this thread to your topic!

Personally this doesn't affect me since I don't use the ClamAV module because I use Immunet as a companion AV to another AV product.

Regards, Ritchie...

Edit 11:32PM: I did contact the Admin I mentioned concerning this matter. Thanks again for the info SynSyn!

 

[ritchie58]

To all Immunet users that read this topic,

Don't panic, I don't think it's necessary to uninstall Immunet because of this vulnerability. If you use the ClamAV module and are uneasy about this current situation consider temporarily disabling the ClamAV module and updates for it in Settings. If ClamAV is turned off you're still being protected by the ETHOS & SPERO cloud detection engines.

Then when it's announced that everything's ok or the issue has been taken care of simply turn ClamAV back on would be my advice for now.

[SynSyn]

Quote

Don't panic, I don't think it's necessary to uninstall Immunet because of this vulnerability.

Agreed, the simplest workaround does indeed seem to be to disable ClamAV, temporarily, until an update is provided.

Quote

The newest 7.5.8 version of Immunet does use the older 0.103.5.26 source code of ClamAV.

I was able to confirm that is still the latest version that is shipping with Immunet, and it's not (currently) automatically updating beyond that.

Quote

Thanks for bringing this buffer overflow vulnerability with ClamAV to my attention [..snip...]I did contact the Admin I mentioned concerning this matter.

 @ritchie58 You are very welcome, and thank you for your prompt response and escalating the matter. 

[ritchie58]

Hey SynSyn,

Since it is the weekend the Admin I contacted via Private Message may not read it until the start of the work week Monday.

That being said, I definitely would like to see this issue resolved by the dev team asap!

Best wishes, Ritchie...

[ritchie58]

Hi SynSyn,
 

I sent you a PM. To access your Private Message features simply click on the envelope icon located at the upper right corner of the home page after logging in.

Cheers, Ritchie...

[Harshal]

Thank you SynSyn and Ritchie for your messages. 

I have reached out to our teams to see a timeline for the updated version. I'll let you know as soon as I get any updates.

In regards to users updating just the ClamAV, I believe it won't be possible as the integrations have to be changed. So it would be a new Immunet version all together.

Thanks again.

Harshal

[Scats]

Hey everyone,

Trying to force update the clamav files does not work and from attempting to just update clam is causes the app to not work, but I usually don't use that part. The cloud engines however are still working. I'd definitely recommend turning the clamav off if your using Immunet as a companion av to your main one. Just make sure the you add exceptions if you main av is not already listed in the exception files in Immunet and do the same for your main av as well to avoid issues that may happen.

[ritchie58]

Hello again Scats,
 

That's something I didn't try, enabling ClamAV & updating since I don't use it & I was also told that won't work to correct this issue.

According to Harshal, the ClamAV source code itself will have to be updated which will require a completely new build of Immunet being publicly rolled-out. 

I'm hoping the dev team is still hard at work on this ClamAV vulnerability issue & will release a new build soon! The sooner the better for all Immunet users in my opinion.

Regards, Ritchie...