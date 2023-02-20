Cisco has implemented security updates to address a reported critical flaw in the ClamAV open source antivirus that could lead to remote code execution on sensitive devices.

Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue refers to a remote code execution case residing in the HFS+ file parser component.

The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Google security engineer Simon Scannell has been credited with discovering and reporting the bug.

What is the problem with ClamAV antivirus for Linux

“This vulnerability is due to a missing buffer size check that could lead to a heap buffer overflow write“, has stated Cisco Talos in a report. “An attacker could exploit this vulnerability by sending an HFS+ partition file intended to be scanned by ClamAV on an affected device.”

Successful exploitation of the security hole could allow an “attacker” to execute malicious code with the same privileges as the ClamAV scanning process or shut down the process, resulting in a denial-of-service (DoS) condition.

Network equipment has the following vulnerabilities:

Secure Endpoint, formerly Advanced Malware Protection (AMP) for endpoints (Windows, macOS and Linux)

Secure Private Cloud Endpoints

Secure Web Appliance, formerly Web Security Appliance

The vulnerability has also been confirmed to have no impact on the Secure Email Gateway (formerly known as Email Security Appliance) and Secure Email and Web Manager (formerly known as Security Management Appliance) products.

Cisco’s patch also has a remote information leak vulnerability in ClamAV’s DMG file parser (CVE-2023-20052, CVSS score: 5.3) that could be exploited by an unauthenticated hacker via remote connection.

“This vulnerability is due to the enabling of XML entity substitution which can lead to XML external entity injection“Cisco noted. “An attacker could exploit this vulnerability by sending a DMG file designed to be scanned by ClamAV on an affected device.”

It is worth noting that CVE-2023-20052 does not affect Cisco Secure Web Appliance. That said, both vulnerabilities have been fixed in ClamAV versions 0.103.8, 0.105.2 and 1.0.1.

Cisco also separately addressed a denial of service (DoS) vulnerability affecting the Cisco Nexus Dashboard (CVE-2023-20014CVSS score: 7.5) and two other privilege escalation and command injection flaws in Email Security Appliance (ESA) and Secure Email and Web Manager (CVE-2023-20009 and CVE-2023-20075CVSS score: 6.5).

The security paradox of Linux operating systems, viruses and antivirus

On this speech of “Linux and antivirus” there should be a consideration.

The die-hard Linux advocates behind an alleged anti-windows lawsuit argue that “Linux operating systems are immune to viruses,” “you can play it safe,” and so on.

Too bad that if you don’t have correct browsing habits you can risk problems such as phishing, ransomware or other, with any operating system: be it Windows, Linux, MacOS or ChromeOS, there is little you can do.

Moreover, if there are antiviruses for Linux, including ClamAV mentioned here, perhaps this family of operating systems that is so “immune” is not; in the end Linux operating systems are alone less popular than Windows or MacOS, greatly reducing the chance of accidentally downloading any malware.

The paradox lies here: if there are several Linux distributions and there is no “unique” scanning system that sends the data to a “central”, how do you tell how many and which are exactly the viruses and malware circulating on the various Linux distributions? Simple: can not be done.

Unfortunately we are not aware of zero-day bugs, malware, etc also because they change depending on the distribution you useas a logical consequence there are no reliable data on the matter.