CVE-2021-1252
📋 TL;DR
This vulnerability in ClamAV's Excel macro parser allows remote attackers to cause denial of service by sending specially crafted Excel files. When exploited, it causes the ClamAV scanning process to enter an infinite loop and hang. Organizations using ClamAV versions 0.103.0 or 0.103.1 for email scanning, file upload scanning, or endpoint protection are affected.
💻 Affected Systems
- Clam AntiVirus (ClamAV)
📦 What is this software?
Clamav by Clamav
Clamav by Clamav
⚠️ Risk & Real-World Impact
Worst Case
Complete DoS of ClamAV scanning services across all affected systems, potentially disrupting email filtering, file upload processing, and malware detection capabilities.
Likely Case
Targeted DoS attacks against specific ClamAV instances, causing scanning delays and service degradation for affected systems.
If Mitigated
Minimal impact with proper network segmentation and updated versions, though scanning performance may still be affected during attack attempts.
🎯 Exploit Status
Exploitation requires only sending a crafted Excel file to a vulnerable ClamAV instance. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.103.2 or later
Vendor Advisory: https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
Restart Required: Yes
Instructions:
1. Download ClamAV 0.103.2 or later from clamav.net. 2. Stop ClamAV services. 3. Install the updated version. 4. Update virus definitions with 'freshclam'. 5. Restart ClamAV services.
🔧 Temporary Workarounds
Disable Excel macro scanning
linuxTemporarily disable scanning of Excel XLM macro files to prevent exploitation
Edit clamd.conf and add: 'ScanOLE2 no'
Restart clamd: 'systemctl restart clamav-daemon'
Rate limit file scanning
allImplement rate limiting on file uploads and email attachments to reduce DoS impact
Configure rate limits in your web server/email gateway settings
🧯 If You Can't Patch
- Implement network segmentation to isolate ClamAV instances from untrusted networks
- Deploy WAF or IPS rules to block or quarantine Excel files with suspicious characteristics
🔍 How to Verify
Check if Vulnerable:
Run: 'clamscan --version' and check if version is 0.103.0 or 0.103.1Check Version:
clamscan --version | grep ClamAVVerify Fix Applied:
Run: 'clamscan --version' and confirm version is 0.103.2 or later📡 Detection & Monitoring
Log Indicators:
- ClamAV process hanging or not responding
- High CPU usage by clamd process
- Scan timeouts in application logs
Network Indicators:
- Multiple Excel file uploads to scanning endpoints
- Unusual traffic patterns to ClamAV services
SIEM Query:
source="clamav" AND ("hang" OR "timeout" OR "infinite loop") OR process_name="clamd" AND cpu_usage>90