Cisco has recently released security updates to address a severe vulnerability in the ClamAV open-source antivirus engine, which could result in remote code execution on susceptible devices. The vulnerability is tracked as CVE-2023-20032, with a CVSS score of 9.8, and it pertains to remote code execution in the HFS+ file parser component.
Versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier are affected by this flaw. Google security engineer Simon Scannell is credited with discovering and reporting the bug. Cisco Talos reported that the vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. This issue could be exploited by an attacker submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device.
If successfully exploited, the vulnerability would allow an adversary to run arbitrary code with the same privileges as that of the ClamAV scanning process or crash the process, leading to a denial-of-service (DoS) situation. To mitigate this threat, Cisco has advised users of the following susceptible products: Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints (Windows, macOS, and Linux), Secure Endpoint Private Cloud, and Secure Web Appliance, formerly Web Security Appliance.
It is important to note that this vulnerability does not affect Secure Email Gateway (formerly Email Security Appliance) and Secure Email and Web Manager (formerly Security Management Appliance) products. Moreover, Cisco has also addressed another vulnerability in ClamAV’s DMG file parser that could allow an unauthenticated, remote attacker to conduct a remote information leak (CVE-2023-20052, CVSS score: 5.3).
Cisco confirmed that enabling XML entity substitution could lead to XML external entity injection, and an attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. It is worth noting that CVE-2023-20052 does not impact the Cisco Secure Web Appliance. Nevertheless, both vulnerabilities have been addressed in ClamAV versions 0.103.8, 0.105.2, and 1.0.1.
Cisco also addressed a denial-of-service (DoS) vulnerability that affected Cisco Nexus Dashboard (CVE-2023-20014, CVSS score: 7.5), and two other privilege escalation and command injection flaws in Email Security Appliance (ESA) and Secure Email and Web Manager (CVE-2023-20009 and CVE-2023-20075, CVSS scores: 6.5). We urge our users to take action and apply these patches immediately to prevent any exploitation of the vulnerabilities.