CVE-2021-1405 – This vulnerability in ClamAV's email parsing mo... (How to Fix)

Q: What is the severity of CVE-2021-1405?

CVE-2021-1405 has a CVSS score of 7.5 (HIGH). This vulnerability in ClamAV's email parsing module allows an unauthenticated remote attacker to cause a denial of service by sending a crafted email, crashing the scanning process. It affects ClamAV version 0.103.1 and all prior versions, impacting systems using ClamAV for email scanning.

📋 TL;DR

This vulnerability in ClamAV's email parsing module allows an unauthenticated remote attacker to cause a denial of service by sending a crafted email, crashing the scanning process. It affects ClamAV version 0.103.1 and all prior versions, impacting systems using ClamAV for email scanning.

💻 Affected Systems

Products:

Clam AntiVirus (ClamAV)

Versions: 0.103.1 and all prior versions

Operating Systems: Linux, Windows, macOS, BSD, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with ClamAV configured to scan emails; default installations with email scanning enabled are vulnerable.

📦 What is this software?

Clamav by Clamav

View all CVEs affecting Clamav →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for ClamAV scanning, potentially disrupting email processing or antivirus protection on affected devices.

🟠

Likely Case

Temporary service disruption due to ClamAV process crashes, requiring manual restart or system recovery.

🟢

If Mitigated

Minimal impact if patched or workarounds applied, with only isolated crashes if exploitation occurs.

🌐 Internet-Facing: HIGH, as unauthenticated remote exploitation via email makes internet-facing systems vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM, as internal systems could be targeted via email but may have fewer exposure points.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves sending a crafted email, which is straightforward; no public proof-of-concept is known, but weaponization is likely due to the simplicity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.103.2

Vendor Advisory: https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html

Restart Required: Yes

Instructions:

1. Update ClamAV to version 0.103.2 or later using your package manager (e.g., 'apt-get update && apt-get upgrade clamav' on Debian/Ubuntu). 2. Restart the ClamAV service or system if necessary.

🔧 Temporary Workarounds

Disable email scanning

all

Temporarily disable ClamAV's email parsing module to prevent exploitation.

Edit ClamAV configuration to remove or comment out email scanning options, e.g., in clamd.conf set 'ScanMail false'.

🧯 If You Can't Patch

Implement network filtering to block suspicious emails or restrict email sources.
Monitor ClamAV processes and set up automatic restart scripts to mitigate DoS impact.

🔍 How to Verify

Check if Vulnerable:

Check ClamAV version with 'clamscan --version' or 'clamd --version'; if version is 0.103.1 or earlier, it is vulnerable.

Check Version:

clamscan --version

Verify Fix Applied:

After patching, verify version is 0.103.2 or later using the same command and test email scanning functionality.

📡 Detection & Monitoring

Log Indicators:

Log entries indicating ClamAV process crashes, segmentation faults, or errors in email parsing modules.

Network Indicators:

Unusual email traffic patterns or spikes in email volume targeting ClamAV servers.

SIEM Query:

Example: 'source="clamav.log" AND ("crash" OR "segmentation fault" OR "NULL pointer")'

📊 Metadata

CVE ID: CVE-2021-1405

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: April 8, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00012.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202104-07 Third Party Advisory
https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html Release Notes,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00012.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202104-07 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-1405, you might also want to check these: