Cisco has deployed security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices.
This issue, tracked as CVE-2023-20032 (CVSS score: 9.8), relates to a remote code execution case present in the HFS+ file parser component.
This vulnerability affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Simon Scannell, an engineer at Google Security, is credited with discovering and reporting this bug.
In an advisory, Cisco Talos states, “This vulnerability is due to a missing buffer size check that could lead to a heap buffer overflow write.” An attacker could send a crafted HFS+ partition file to This vulnerability could be exploited by being scanned by ClamAV on an affected device.”
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with the same privileges as the ClamAV scanning process or cause the process to crash, causing a denial of service (DoS) condition.
Network Equipment stated the following products are vulnerable –
- Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints (Windows, macOS, and Linux)
- A secure endpoint private cloud, and
- Secure Web Appliance, formerly Web Security Appliance
Additionally, we have confirmed that the vulnerabilities do not affect our Secure Email Gateway (formerly Email Security Appliance) and Secure Email and Web Manager (formerly Security Management Appliance) products.
A remote information disclosure vulnerability in ClamAV’s DMG file parser (CVE-2023-20052, CVSS score: 5.3) has also been patched by Cisco and could be exploited by an unauthenticated remote attacker.
“This vulnerability is due to enabling XML entity substitution, which can lead to XML external entity injection,” Cisco said. “An attacker could exploit this vulnerability by sending a crafted DMG file to be scanned by her ClamAV on an affected device.”
Note that CVE-2023-20052 does not affect Cisco Secure Web Appliance. However, both vulnerabilities are addressed in ClamAV versions 0.103.8, 0.105.2, and 1.0.1.
Cisco has addressed the Denial of Service (DoS) vulnerability (CVE-2023-20014, CVSS score: 7.5) affecting the Cisco Nexus Dashboard, and the Email Security Appliance (ESA) and Secure Mail and Web Manager (CVE-2023- 20009 and CVE-2023-20075, CVSS score: 6.5).
