overview
Two vulnerabilities were found in the ClamAV scanning library – an open-source cross-platform antimalware toolkit. The tool can detect, viruses, trojans, and other kinds of malware.
CVE-2023-20032 is critical and has a CVSS score of 9.8. The vulnerability is an HFS+ file parser flaw that impacts ClamAV versions 0.103.7 and earlier, 0.105.1 and earlier, and 1.0.0 and earlier. If the parser fails to perform a buffer check, there is a risk of a heap buffer overflow write. CVE-2023-20032 could be exploited by an attacker who submits a specially crafted HFS+ partition file for scanning. Cisco's advisory states that an attacker could execute arbitrary code using the privileges of the ClamAV scanning process or cause the process to crash, leading to a denial-of-service scenario.
CVE-2023-20052 has a medium CVSS score of 5.3. The vulnerability is a DMG file parsing XML entity flaw that’s triggered by scanning crafted DMG files. If successful, an unauthenticated, remote attacker could access sensitive information on an affected device. CVE-2023-20052 impacts ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
There are also two other Cisco vulnerabilities unrelated to ClamAv that are high-risk. CVE-2023-20009 is a privilege escalation vulnerability that impacts Cisco Email Security Appliances and Cisco Secure Email and Web Manager. CVE-2023-20075 is a command injection vulnerability that impacts Cisco Email Security Appliances. If an attacker has valid user credentials, they could elevate their privileges to root and execute arbitrary commands on an impacted device.
Due to there being no available workarounds for the mentioned vulnerabilities, Avertium strongly advises applying the appropriate patches as soon as possible.
At this time, there are no known IoCs associated with CVE-2023-20032, CVE-2023-20052, CVE-2023-20075, and CVE-2023-20009. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
SUPPORTING DOCUMENTATION
ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023
Admins, patch your Cisco enterprise security solutions! (CVE-2023-20032) - Help Net Security
ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023
Cisco Email Security Appliance and Cisco Secure Email and Web Manager Vulnerabilities
Critical Vulnerability Patched in Cisco Security Products - SecurityWeek