GRC Viewpoint

The Cisco ClamAV Malware Scanner is Vulnerable to Risks

The Cisco ClamAV scanner for malware is highly susceptible to security flaws. The security flaws could pose severe risks to a range of products from Cisco.

ClamAV (Clam AntiVirus) is a free anti-malware toolkit initially created for Unix systems. 

The technology Cisco acquired ten years ago through a purchase has been converted to run on many operating systems.

READ MORE: Microsoft Announces Innovative Solutions for Attack Surface Management and Threat Intelligence

Simon Scannell, a Google engineer, found the security hole in ClamAV’s HFS+ partition file parser and a less remote severe information leak vulnerability in the DMG file parser of the same technology.

“A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition,” informs Cisco advisory.

READ MORE: Why Firmware Attacks Are a Top Security Threat

As described in Cisco’s security alert, a flaw in ClamAV’s HFS+ partition file parser makes it possible to deliver malicious code onto endpoint devices or susceptible instances of Cisco’s Secure Web Appliance.

Specifically, a severe security risk was introduced for Cisco’s Secure Web Appliance and several versions of Cisco Secure Endpoint by a flaw in the ClamAV scanning library (recorded as CVE-2023-20032).

“We rate the vulnerability as high severity as the buffer overflow can be triggered when a scan is run with CL_SCAN_ARCHIVE enabled, which is enabled by default in most configurations. This feature is typically used to scan incoming emails on the backend of mail servers. As such, a remote, external, unauthenticated attacker can trigger this vulnerability,” continues the advisory.

Related Articles

Latest Articles