Jump to content

ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability


SynSyn
 Share

Recommended Posts

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed:

A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to execute arbitrary code.

This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition.

For a description of this vulnerability, see the ClamAV blog.

CVE:  CVE-2023-20032

Source:  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy

  • Thanks 1
Link to comment
Share on other sites

Hi SynSyn,

Thanks for bringing this buffer overflow vulnerability with ClamAV to my attention! I am familiar with this type of software zero-day vulnerability that if detected, and not fixed right away, can sometimes be exploited for nefarious purposes. 

The newest 7.5.8 version of Immunet does use the older 0.103.5.26 source code of ClamAV.

Immunet is not included in the list of affected products by Cisco however, just primarily Immunet's enterprise version called Secure Endpoint seems to be affected & a few other products. Even though Immunet is not listed that doesn't mean that the ClamAV module is not affected in my opinion.

If a Immunet user has the ClamAV module and updates for it enabled in Settings a bug fix could be automatically installed but I'm not certain that has taken place.

What I'll do is inform an Admin who works directly with the Immunet development team and inform him of this issue as soon as I post this thread to your topic!

Personally this doesn't affect me since I don't use the ClamAV module because I use Immunet as a companion AV to another AV product.

Regards, Ritchie...

Edit 11:32PM: I did contact the Admin I mentioned concerning this matter. Thanks again for the info SynSyn!

 

Link to comment
Share on other sites

To all Immunet users that read this topic,

Don't panic, I don't think it's necessary to uninstall Immunet because of this vulnerability. If you use the ClamAV module and are uneasy about this current situation consider temporarily disabling the ClamAV module and updates for it in Settings. If ClamAV is turned off you're still being protected by the ETHOS & SPERO cloud detection engines.

Then when it's announced that everything's ok or the issue has been taken care of simply turn ClamAV back on would be my advice for now.

Link to comment
Share on other sites

Quote

Don't panic, I don't think it's necessary to uninstall Immunet because of this vulnerability.

Agreed, the simplest workaround does indeed seem to be to disable ClamAV, temporarily, until an update is provided.

Quote

The newest 7.5.8 version of Immunet does use the older 0.103.5.26 source code of ClamAV.

I was able to confirm that is still the latest version that is shipping with Immunet, and it's not (currently) automatically updating beyond that.

Quote

Thanks for bringing this buffer overflow vulnerability with ClamAV to my attention [..snip...]I did contact the Admin I mentioned concerning this matter.

 @ritchie58 You are very welcome, and thank you for your prompt response and escalating the matter. 😀

  • Like 1
Link to comment
Share on other sites

Hey SynSyn,

Since it is the weekend the Admin I contacted via Private Message may not read it until the start of the work week Monday.

That being said, I definitely would like to see this issue resolved by the dev team asap!

Best wishes, Ritchie...

Link to comment
Share on other sites

Thank you SynSyn and Ritchie for your messages. 

I have reached out to our teams to see a timeline for the updated version. I'll let you know as soon as I get any updates.

In regards to users updating just the ClamAV, I believe it won't be possible as the integrations have to be changed. So it would be a new Immunet version all together.

Thanks again.

Harshal

  • Like 1
Link to comment
Share on other sites

Hey everyone,

Trying to force update the clamav files does not work and from attempting to just update clam is causes the app to not work, but I usually don't use that part. The cloud engines however are still working. I'd definitely recommend turning the clamav off if your using Immunet as a companion av to your main one. Just make sure the you add exceptions if you main av is not already listed in the exception files in Immunet and do the same for your main av as well to avoid issues that may happen.

Link to comment
Share on other sites

Hello again Scats,
 

That's something I didn't try, enabling ClamAV & updating since I don't use it & I was also told that won't work to correct this issue.

According to Harshal, the ClamAV source code itself will have to be updated which will require a completely new build of Immunet being publicly rolled-out. 

I'm hoping the dev team is still hard at work on this ClamAV vulnerability issue & will release a new build soon! The sooner the better for all Immunet users in my opinion.

Regards, Ritchie...

Link to comment
Share on other sites

  • 1 month later...

Hello all, 

Thank you for your patience on this item. yes, the Immunet will require a new build to integrate newer version of the ClamAV. I have informed the team about this and there are a couple of Enterprise product releases that we have in the pipeline at the moment. So once those are released, Immunet work will be queued right after. I don't have a concrete timeline on that as of now, but I'll update here as soon as I have that info.

Thanks,

Harshal

  • Thanks 1
Link to comment
Share on other sites

Hi Harshal,

Thanks for the update! Hopefully the new build will be out soon. 

Just a quick question about the new build, is it possible the new one can have the UI updated for higher resolution screens like 4k monitors? 

Thanks, 

Stay safe...  

Link to comment
Share on other sites

  • 2 weeks later...

Hi Omnimaxus,

Usually Immunet is light on system usage except when Clamav is on their which should be turned off till the update is available since there is a know vulnerability with Clam. 

What is your system specs so I can give more specific tips to possibly help you out?

 

Stay safe... 

Link to comment
Share on other sites

This may not be the case here Omnimaxus but there have been instances where a user created one or more scheduled scans with Immunet & simply forgot about that.
Then again, even if a scan is taking place it shouldn't eat up so much system resources that your rig is adversely affected.

As Scats suggested what is your Windows OS & system specs? 

 

Link to comment
Share on other sites

@Scats - I have an i7-2600K, 8 GB of RAM, Windows 10 (64-bit; latest version), one SSD and one HDD, and a Nvidia GeForce 1060 GTX with 3 GB of VRAM.

 

@ritchie58 - Hmm.  Maybe it would help if I explained exactly when the slowdown happens.  It happens at startup when I also have Privacy Eraser set to run automatically.  Immunet starts at the same time, and both programs seem not to work well together.  After I posted earlier, I went and looked on the Immunet forum.  I saw a few other posts with similar issues (CPU slowdowns, et cetera).  You suggested to these other folks that they consider turning off a couple things, I think.  But that's the thing.  We shouldn't have to disable default settings, because they're meant to "work," and not cause problems.  I am using Windows Defender currently (because of the problem with ClamAV), and Windows Defender doesn't have this effect on my PC at all.  It doesn't slow down my computer at all when I sign into Windows after a fresh boot.  Any suggestions?

 

@Harshal - while I'm responding to @Scats and @ritchie58, I might as well follow up here and ask if you have any idea of an ETA for the next release of Immunet?

 

Thanks to everyone!

Link to comment
Share on other sites

Thanks for the quick reply Omnimaxus!

You do have more than adequate system resources to run Immunet.

Mmm. There could very well be some sort of conflict between the two programs at startup.

I would suggest that you create a custom Exclusion rule with Immunet for Privacy Eraser's 'entire Program Files folder' to see if that corrects the issue. Worth a shot I think.

As far as when a new build of Immunet will be publicly rolled-out I haven't heard anything new regarding that. Soon I hope!

Cheers, Ritchie...

Link to comment
Share on other sites

You know you can still use Immunet just as long as you have the ClamAV module & updates for it disabled in Settings Omnimaxus. You'd still be getting protection from both the ETHOS & SPERO cloud detection engines.

It is recommended that ClamAV is disabled if paired with another AV product & since you were using Immunet with Defender you could still use it if you wanted to. Just thought I'd mention that.

Regards, Ritchie...

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

I'm happy to announce that the devs have fixed this ClamAV vulnerability issue with a new build that has updated the ClamAV module to version 0.104.3.61! 

The 7.5.10.21498 build update should be pushed to you through the UI or you can just click on the Update Now tab on the UI to start the update process.

For those that wish to manually download the installer package here is a URL link for that.
https://download.immunet.com/binaries/immunet/bin/ImmunetSetup.exe

After updating it is now safe to use or enable the ClamAV module & updates for it in Settings.

Regards, Ritchie...

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...