CVE-2019-15961 – This vulnerability in ClamAV allows remote atta... (How to Fix)

Q: What is the severity of CVE-2019-15961?

CVE-2019-15961 has a CVSS score of 7.5 (HIGH). This vulnerability in ClamAV allows remote attackers to cause denial of service by sending specially crafted email files that trigger inefficient MIME parsing, resulting in extremely long scan times. Systems running ClamAV versions 0.102.0, 0.101.4 and prior are affected when processing email files through the vulnerable parsing module.

📋 TL;DR

This vulnerability in ClamAV allows remote attackers to cause denial of service by sending specially crafted email files that trigger inefficient MIME parsing, resulting in extremely long scan times. Systems running ClamAV versions 0.102.0, 0.101.4 and prior are affected when processing email files through the vulnerable parsing module.

💻 Affected Systems

Products:

Clam AntiVirus (ClamAV)

Versions: 0.102.0, 0.101.4 and prior versions

Operating Systems: Linux, Unix-like systems, Windows (when running ClamAV)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using ClamAV's email parsing functionality. Systems not processing email files are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where ClamAV scanning processes become unresponsive indefinitely, blocking all email scanning and potentially affecting dependent services.

🟠

Likely Case

Degraded performance and temporary service disruption as scanning processes consume excessive resources on affected systems.

🟢

If Mitigated

Minimal impact with proper network filtering and updated ClamAV versions preventing exploitation.

🌐 Internet-Facing: HIGH - Email gateways and internet-facing systems processing incoming email are directly exposed to crafted payloads.

🏢 Internal Only: MEDIUM - Internal mail servers and systems scanning internal email could be affected if attackers gain internal access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted email file to trigger the inefficient parsing. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.102.1, 0.101.5

Vendor Advisory: https://bugzilla.clamav.net/show_bug.cgi?id=12380

Restart Required: Yes

Instructions:

1. Update ClamAV to version 0.102.1 or 0.101.5 or later. 2. Stop ClamAV services. 3. Install updated packages from your distribution's repository. 4. Restart ClamAV services. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable email scanning

all

Temporarily disable ClamAV's email parsing functionality if not required

Edit clamd.conf and set ScanMail to no
Restart clamd service

Rate limit email processing

all

Implement rate limiting on email processing to mitigate DoS impact

Configure mail server to limit concurrent scans
Set MaxScanSize in clamd.conf

🧯 If You Can't Patch

Implement network filtering to block suspicious email attachments before they reach ClamAV
Monitor ClamAV process resource usage and implement automated restart thresholds

🔍 How to Verify

Check if Vulnerable:

Run 'clamscan --version' and check if version is 0.102.0, 0.101.4 or earlier

Check Version:

clamscan --version | head -1

Verify Fix Applied:

Confirm version is 0.102.1, 0.101.5 or later using 'clamscan --version'

📡 Detection & Monitoring

Log Indicators:

Extended scan times for email files in ClamAV logs
High CPU usage by clamd processes
Process timeouts or crashes

Network Indicators:

Unusually large email attachments with specific MIME structures
Email files causing prolonged scanning

SIEM Query:

source="clamav" AND ("scan time" > 300 OR "timeout" OR "denial of service")

📊 Metadata

CVE ID: CVE-2019-15961

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: January 15, 2020

Last Updated: November 21, 2024

🔗 References

https://bugzilla.clamav.net/show_bug.cgi?id=12380 Exploit,Issue Tracking,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00016.html Mailing List,Third Party Advisory
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvr56010 Third Party Advisory
https://security.gentoo.org/glsa/202003-46 Third Party Advisory
https://usn.ubuntu.com/4230-2/ Third Party Advisory
https://bugzilla.clamav.net/show_bug.cgi?id=12380 Exploit,Issue Tracking,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/02/msg00016.html Mailing List,Third Party Advisory
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvr56010 Third Party Advisory
https://security.gentoo.org/glsa/202003-46 Third Party Advisory
https://usn.ubuntu.com/4230-2/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-15961, you might also want to check these: