CVE-2022-20770 – A vulnerability in the CHM file parser of ClamA... (How to Fix)

Q: What is the severity of CVE-2022-20770?

CVE-2022-20770 has a CVSS score of 8.6 (HIGH). A vulnerability in the CHM file parser of ClamAV allows an unauthenticated remote attacker to cause a denial of service condition on affected devices. This affects ClamAV versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and earlier. Systems using ClamAV for scanning CHM files are vulnerable.

📋 TL;DR

A vulnerability in the CHM file parser of ClamAV allows an unauthenticated remote attacker to cause a denial of service condition on affected devices. This affects ClamAV versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and earlier. Systems using ClamAV for scanning CHM files are vulnerable.

💻 Affected Systems

Products:

Clam AntiVirus (ClamAV)

Versions: 0.104.0 through 0.104.2 and LTS version 0.103.5 and earlier

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Any system with ClamAV installed and configured to scan CHM files is vulnerable. This includes mail gateways, file servers, and web applications using ClamAV.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of ClamAV scanning functionality, potentially affecting dependent security services like email filtering or file scanning gateways.

🟠

Likely Case

ClamAV process crashes when processing malicious CHM files, causing temporary scanning interruptions until service restarts.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring; scanning services automatically restart with minimal downtime.

🌐 Internet-Facing: HIGH - ClamAV often processes files from untrusted sources like email attachments or web uploads, making exploitation likely.

🏢 Internal Only: MEDIUM - Internal users could exploit if they can submit files to ClamAV scanners, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a specially crafted CHM file to trigger the DoS. No authentication is required if ClamAV processes files from untrusted sources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.104.3 and 0.103.6

Vendor Advisory: https://blog.clamav.net/

Restart Required: Yes

Instructions:

1. Check current ClamAV version: clamscan --version
2. Stop ClamAV service: systemctl stop clamav-freshclam clamav-daemon
3. Update via package manager: apt update && apt upgrade clamav (Debian/Ubuntu) or yum update clamav (RHEL/CentOS)
4. Restart services: systemctl start clamav-freshclam clamav-daemon
5. Verify update: clamscan --version should show 0.104.3+ or 0.103.6+

🔧 Temporary Workarounds

Disable CHM file scanning

linux

Temporarily disable scanning of CHM files in ClamAV configuration

Edit /etc/clamav/clamd.conf and add: ArchiveBlockEncrypted no
Add to /etc/clamav/freshclam.conf: ArchiveBlockEncrypted no
Restart ClamAV: systemctl restart clamav-daemon

Implement file size limits

linux

Limit maximum file size for scanning to reduce impact

Edit /etc/clamav/clamd.conf: MaxFileSize 10M
Restart ClamAV: systemctl restart clamav-daemon

🧯 If You Can't Patch

Isolate ClamAV services in separate network segments with strict access controls
Implement monitoring and alerting for ClamAV process crashes with automated restart scripts

🔍 How to Verify

Check if Vulnerable:

Run: clamscan --version | grep -E '0\.(104\.[0-2]|103\.[0-5])' - if output shows these versions, system is vulnerable

Check Version:

clamscan --version

Verify Fix Applied:

Run: clamscan --version | grep -E '0\.(104\.[3-9]|103\.[6-9])' - if output shows patched versions, fix is applied

📡 Detection & Monitoring

Log Indicators:

ClamAV daemon crashes in system logs
Repeated ClamAV service restarts
Failed scan attempts for CHM files

Network Indicators:

Unusual CHM file uploads to systems using ClamAV
Spike in file uploads to scanning endpoints

SIEM Query:

source="clamav" AND ("crash" OR "segmentation fault" OR "aborted")

📊 Metadata

CVE ID: CVE-2022-20770

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-399

Published: May 4, 2022

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-20770, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Clamav by Clamav

Clamav by Clamav

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Secure Endpoint by Cisco

Secure Endpoint by Cisco

Secure Endpoint by Cisco

Secure Endpoint by Cisco

Secure Endpoint by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable CHM file scanning

Implement file size limits

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities