Critical ClamAV Vulnerabilities Expose Systems to Remote DoS Attacks

Recent discoveries have unveiled multiple high-severity vulnerabilities within Cisco’s ClamAV antivirus engine, potentially allowing remote attackers to disrupt the scanning process and induce denial-of-service (DoS) conditions on affected systems. These flaws impact Cisco Secure Endpoint Connector deployments across Windows, Linux, and macOS platforms.

ClamAV, an open-source antivirus engine, is widely utilized for detecting malware and other malicious threats. The identified vulnerabilities stem from improper memory handling, boundary checks, and resource management within various ClamAV file format parsers, including PE, FSG, 7z, InstallShield, PESpin, ALZ, and DMG. Exploiting these flaws, an unauthenticated attacker can craft malicious files in these formats and deliver them to an endpoint via email, web downloads, or file shares. When ClamAV scans these files, the engine may crash, leading to a DoS condition.

The impact of these vulnerabilities varies by platform. On Windows systems, the ClamAV scanning process operates with higher privileges, making the endpoint more susceptible to instability upon exploitation. Consequently, these vulnerabilities are rated as High severity (CVSS 7.5) on Windows. In contrast, on Linux and macOS platforms, ClamAV typically runs with reduced privileges, and while exploitation can disrupt scanning operations, it is less likely to destabilize the entire system. Therefore, the severity rating on these platforms is Medium.

Cisco has acknowledged that its Secure Endpoint Private Cloud is not directly vulnerable. However, the connectors distributed from it inherit the ClamAV flaws and require updates to mitigate the risks. The company has released software updates addressing these vulnerabilities and strongly recommends that affected customers upgrade to the fixed versions for Windows, Linux, and macOS as part of their regular content and software update cycles.

Given the widespread use of ClamAV in various security products and its role in processing untrusted input, these vulnerabilities underscore the critical importance of promptly applying security patches. Organizations should prioritize updating their ClamAV deployments to maintain robust defense mechanisms against potential DoS attacks and ensure the stability and security of their systems.