Critical RCE vulnerability discovered in popular open-source antivirus software

Cisco has recently issued security updates to fix a severe flaw in the ClamAV open-source antivirus engine that could lead to remote code execution on vulnerable devices

The bug, which is tracked as CVE-2023-20032 with a CVSS score of 9.8, resides in the HFS+ file parser component and affects ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. The vulnerability was discovered and reported by Simon Scannell, a Google security engineer.

According to an advisory from Cisco Talos, the flaw is caused by a missing buffer size check that could result in a heap buffer overflow write. An attacker could exploit the vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with the same privileges as that of the ClamAV scanning process or cause a denial-of-service (DoS) condition by crashing the process itself.

The affected Cisco products include Secure Endpoint (formerly Advanced Malware Protection (AMP) for Endpoints), Secure Endpoint Private Cloud, and Secure Web Appliance (formerly Web Security Appliance). However, the vulnerability does not affect Secure Email Gateway (formerly Email Security Appliance) and Secure Email and Web Manager (formerly Security Management Appliance) products.

Other vulnerabilities addressed

In addition to CVE-2023-20032, Cisco has also patched another vulnerability in ClamAV's DMG file parser, tracked as CVE-2023-20052 with a CVSS score of 5.3. The vulnerability could be exploited by an unauthenticated, remote attacker to exfiltrate data remotely.

"This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection," Cisco stated. "An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device."

This vulnerability does not affect Cisco Secure Web Appliance.

Both vulnerabilities have been addressed in ClamAV versions 0.103.8, 0.105.2, and 1.0.1, which have been released by ClamAV's developers. Cisco urges its customers to update to the latest version of ClamAV as soon as possible to ensure their systems are protected.

In addition to the ClamAV vulnerabilities, Cisco has also resolved a denial-of-service (DoS) vulnerability affecting Cisco Nexus Dashboard, tracked as CVE-2023-20014 with a CVSS score of 7.5, and two other privilege escalation and command injection flaws in Email Security Appliance and Secure Email and Web Manager, tracked as CVE-2023-20009 and CVE-2023-20075 with CVSS scores of 6.5.

Keep up with your patches

Keeping your software up to date is one of the easiest and most effective ways to ensure you are not affected by a vast array of vulnerabilities. It is well-established that unpatched software is a significant risk factor for cyber attacks.

Unpatched software vulnerabilities can be exploited by attackers to gain access to systems, steal data, launch malware attacks, and more. The longer a vulnerability remains unpatched, the greater the likelihood that it will be discovered and exploited by attackers. In fact, some studies have found that the majority of successful cyber attacks exploit known vulnerabilities for which patches have already been released.

For example, according to the 2021 Verizon Data Breach Investigations Report, 60% of data breaches in 2020 involved hacking or other types of attacks that exploited vulnerabilities that were at least two years old. In other words, the organizations targeted in these attacks had failed to apply security patches that were available for a significant period of time.

Therefore, it's crucial for organizations to prioritize software patching and stay up-to-date with security updates to reduce the risk of cyber attacks.