It has recently come to the attention of cybersecurity researchers that a vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV can allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. Here, we will discuss the details of this vulnerability, including the code snippet responsible for the issue, links to original references, and exploit details.

Details of the Vulnerability

The vulnerability (CVE-2025-20128) stems from an integer underflow in bounds check that consequently permits for a heap buffer overflow read. In order to exploit this vulnerability, an attacker could submit a malicious file containing OLE2 content to be scanned by ClamAV on an affected device. A successful execution of this exploit could lead to the termination of the ClamAV scanning process, culminating in a DoS condition for the targeted device.

Code Snippet

The code sample below demonstrates the integer underflow and how it can lead to the heap buffer overflow read:

int ole2_decrypt(...) {
  ...
  unsigned int size = header_size - arr_offset;
  ...
  size = (size >> 2) - 1;
  ...
  if (size < arr_offset) { // Integer underflow could occur here
    // Heap buffer overflow read could occur here
    memcpy(..., arr_offset, size);
  }
}

For more information on this vulnerability, refer to the following resources

1. Official CVE page
2. ClamAV Official OLE2 Documentation
3. Cisco's Advisory on ClamAV's Vulnerability

Patches and Fixes

Cisco, the company behind ClamAV, has released software updates to address this vulnerability (CVE-2025-20128). It is highly recommended for affected users to update their ClamAV software to the latest versions as soon as possible. There are no known workarounds that can adequately address this vulnerability.

Conclusion

The CVE-2025-20128 vulnerability in the OLE2 decryption routine of ClamAV is a serious security concern, as it can lead to a denial of service condition for affected devices. In order to protect against potential exploits, users must ensure that they are running the latest version of ClamAV. By staying abreast of security developments and addressing vulnerabilities promptly, users can help to safeguard their devices against possible attacks.

Timeline

Published on: 01/22/2025 17:15:12 UTC