ClamAV DoS Vulnerabilities
Share this:
ClamAV has fixed two vulnerabilities that could allow an attacker to cause a denial of service (DoS) condition on an affected device.
ClamAV AutoIt Module Denial of Service Vulnerability
The ClamAV Denial of Service vulnerability, tagged as CVE-2023-20212 with a CVSS score of 7.5, raises eyebrows primarily due to its origin. Located within the AutoIt module of ClamAV, this vulnerability opens the door for unauthenticated, remote attackers to induce a DoS condition on affected devices.
With the vulnerability, an attacker needs is a craftily designed AutoIt file. Once this file undergoes scanning by ClamAV on a compromised device, it can disrupt the ClamAV scanning process, forcing it to restart unexpectedly. This abrupt interruption culminates in a DoS scenario.
Impacted software includes the Secure Endpoint Connector for Windows, notably between Release 8.1.5.21322 and 8.1.7.21585, as well as the Secure Endpoint Private Cloud. A fixed version (3.8.0 or later with updated connectors) has been rolled out. As of now, the Cisco Product Security Incident Response Team (PSIRT) remains unaware of any public disclosures or malevolent usage concerning this vulnerability.
ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability
ClamAV reveals another alarming vulnerability: the HFS+ File Scanning Infinite Loop Denial of Service Vulnerability, designated as CVE-2023-20197 and also presenting a CVSS score of 7.5.This flaw emerges from the filesystem image parser dedicated to the Hierarchical File System Plus (HFS+). An incorrect verification during file decompression potentially results in an infinite loop, causing the software to hang indefinitely.
Threat actors, armed with crafted HFS+ filesystem image, can exploit this flaw to halt the ClamAV scanning process entirely, leading not only to a DoS condition but also potentially consuming all available system resources.Multiple versions of the software are affected, ranging from version 1.1.0 down to 0.103.0. The affected Cisco Software Platforms have been identified, and fixed versions have been released.
It’s crucial to note that, for this vulnerability, the Cisco PSIRT acknowledges the existence of proof-of-concept exploit code. However, as with the previous flaw, no known malicious exploits have been reported.
Both of these vulnerabilities have been patched in recent releases of ClamAV. However, if you are using an older version of ClamAV, you are vulnerable to these attacks. Update to the latest version of ClamAV as soon as possible.
