CVE-2022-20698 – This vulnerability in ClamAV's OOXML parsing mo... (How to Fix)

Q: What is the severity of CVE-2022-20698?

CVE-2022-20698 has a CVSS score of 7.5 (HIGH). This vulnerability in ClamAV's OOXML parsing module allows remote attackers to crash the antivirus scanning process by sending specially crafted OOXML files. This causes a denial of service, potentially disrupting malware scanning capabilities. Affected users include anyone running vulnerable ClamAV versions for email filtering, file scanning, or web content inspection.

📋 TL;DR

This vulnerability in ClamAV's OOXML parsing module allows remote attackers to crash the antivirus scanning process by sending specially crafted OOXML files. This causes a denial of service, potentially disrupting malware scanning capabilities. Affected users include anyone running vulnerable ClamAV versions for email filtering, file scanning, or web content inspection.

💻 Affected Systems

Products:

Clam AntiVirus (ClamAV)

Versions: 0.104.1 and earlier, 0.103.4 LTS and earlier

Operating Systems: All platforms running ClamAV

Default Config Vulnerable: ⚠️ Yes

Notes: Any ClamAV installation with OOXML parsing enabled (default) is vulnerable when processing Office Open XML files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of antivirus scanning services, allowing malware to pass through undetected while the service is down.

🟠

Likely Case

Temporary denial of service affecting ClamAV scanning processes, requiring service restart and potentially causing scanning backlogs.

🟢

If Mitigated

Minimal impact with proper network filtering and updated software, though scanning of malicious OOXML files might still trigger crashes.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation via crafted files makes internet-facing ClamAV instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems could still be targeted via email attachments or file uploads, but attack surface is more limited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Simple file delivery required, no authentication needed.

Exploitation requires delivering a crafted OOXML file to trigger the invalid pointer read.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.104.2 or 0.103.5 LTS

Vendor Advisory: https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html

Restart Required: Yes

Instructions:

1. Stop ClamAV services. 2. Update ClamAV to version 0.104.2 or 0.103.5 LTS using your package manager. 3. Update virus definitions with 'freshclam'. 4. Restart ClamAV services.

🔧 Temporary Workarounds

Disable OOXML parsing

all

Temporarily disable OOXML file scanning in ClamAV configuration

Edit clamd.conf and add: ScanOLE2 false
Restart clamd service

Network filtering

all

Block or quarantine OOXML files at network perimeter

🧯 If You Can't Patch

Implement strict file upload filtering to block suspicious OOXML files
Monitor ClamAV process health and implement automatic restart on crash

🔍 How to Verify

Check if Vulnerable:

Run 'clamscan --version' and check if version is 0.104.1 or earlier, or 0.103.4 LTS or earlier

Check Version:

clamscan --version | head -1

Verify Fix Applied:

Confirm version is 0.104.2 or 0.103.5 LTS with 'clamscan --version'

📡 Detection & Monitoring

Log Indicators:

ClamAV process crashes
Segmentation fault errors in system logs
Scanning service stopped unexpectedly

Network Indicators:

Unusual OOXML file transfers to scanning servers
Multiple failed scan attempts

SIEM Query:

source="clamav" AND ("segmentation fault" OR "crash" OR "abnormal exit")

📊 Metadata

CVE ID: CVE-2022-20698

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: January 14, 2022

Last Updated: November 21, 2024

🔗 References

https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html Exploit,Vendor Advisory
https://security.gentoo.org/glsa/202310-01
https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html Exploit,Vendor Advisory
https://security.gentoo.org/glsa/202310-01

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-20698, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Clamav by Clamav

Clamav by Clamav

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable OOXML parsing

Network filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities