CVE-2013-7087 – CVE-2013-7087 is a heap memory corruption vulne... (How to Fix)

Q: What is the severity of CVE-2013-7087?

CVE-2013-7087 has a CVSS score of 9.8 (CRITICAL). CVE-2013-7087 is a heap memory corruption vulnerability in ClamAV's WWPack file unpacking module. Attackers can exploit this by crafting malicious WWPack archives to execute arbitrary code or cause denial of service. All systems running ClamAV versions before 0.97.7 are affected.

📋 TL;DR

CVE-2013-7087 is a heap memory corruption vulnerability in ClamAV's WWPack file unpacking module. Attackers can exploit this by crafting malicious WWPack archives to execute arbitrary code or cause denial of service. All systems running ClamAV versions before 0.97.7 are affected.

💻 Affected Systems

Products:

ClamAV

Versions: All versions before 0.97.7

Operating Systems: Linux, Unix-like systems, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Any ClamAV installation with WWPack unpacking enabled (default configuration). Systems using ClamAV for email scanning, file upload scanning, or on-access scanning are particularly vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root/system privileges leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Denial of service through antivirus service crashes, potentially disrupting email scanning and file processing systems.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal privileges, though service disruption remains possible.

🌐 Internet-Facing: HIGH - ClamAV often processes untrusted files from email gateways and web uploads, making internet-facing instances prime targets.

🏢 Internal Only: MEDIUM - Internal systems still process potentially malicious files from internal sources, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code has been publicly available since 2013. The vulnerability requires only a malicious WWPack file to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.97.7 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7087

Restart Required: Yes

Instructions:

1. Stop ClamAV service: 'systemctl stop clamav' or equivalent. 2. Update ClamAV: 'apt-get update && apt-get install clamav' (Debian/Ubuntu) or 'yum update clamav' (RHEL/CentOS). 3. Update virus definitions: 'freshclam'. 4. Restart ClamAV service: 'systemctl start clamav'.

🔧 Temporary Workarounds

Disable WWPack unpacking

linux

Temporarily disable WWPack archive scanning in ClamAV configuration

Edit /etc/clamav/clamd.conf or equivalent
Add line: 'ArchiveBlockEncrypted no'
Restart clamd: 'systemctl restart clamav'

🧯 If You Can't Patch

Network segmentation: Isolate ClamAV servers from critical systems
Implement strict file upload restrictions and sandboxing for untrusted file processing

🔍 How to Verify

Check if Vulnerable:

Run: 'clamscan --version' and check if version is below 0.97.7

Check Version:

clamscan --version | head -1

Verify Fix Applied:

Run: 'clamscan --version' and confirm version is 0.97.7 or higher

📡 Detection & Monitoring

Log Indicators:

ClamAV service crashes in system logs
Repeated clamd process restarts
Error messages mentioning WWPack or heap corruption

Network Indicators:

Unusual outbound connections from ClamAV servers
Large WWPack files being processed

SIEM Query:

source="clamav.log" AND ("crash" OR "segmentation fault" OR "heap corruption")

📊 Metadata

CVE ID: CVE-2013-7087

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: November 15, 2019

Last Updated: November 21, 2024

🔗 References

http://security.gentoo.org/glsa/glsa-201405-08.xml Third Party Advisory
http://www.openwall.com/lists/oss-security/2013/12/13/1 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/58546 Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7087 Issue Tracking,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2013-7087 Third Party Advisory
http://security.gentoo.org/glsa/glsa-201405-08.xml Third Party Advisory
http://www.openwall.com/lists/oss-security/2013/12/13/1 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/58546 Third Party Advisory,VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7087 Issue Tracking,Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2013-7087 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2013-7087, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Clamav by Clamav

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WWPack unpacking

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities