CVE-2023-20197
📋 TL;DR
This vulnerability in ClamAV's HFS+ filesystem parser allows remote attackers to cause denial of service by submitting crafted HFS+ images. The scanning process enters an infinite loop, consuming system resources and stopping ClamAV from functioning. Any system running vulnerable ClamAV versions that scans untrusted files is affected.
💻 Affected Systems
- ClamAV
📦 What is this software?
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete DoS of ClamAV scanning service, potentially affecting dependent security services like email filtering or file scanning, with resource exhaustion impacting the entire system.
Likely Case
ClamAV scanning process hangs or crashes when processing malicious HFS+ images, requiring manual restart and causing temporary scanning disruption.
If Mitigated
Minimal impact with proper network segmentation and input validation preventing malicious files from reaching ClamAV scanners.
🎯 Exploit Status
Exploitation requires submitting a crafted HFS+ filesystem image to ClamAV for scanning, which can be done remotely if ClamAV processes external files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ClamAV 1.0.4, 1.2.2, or 1.3.0
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-rNwNEEee
Restart Required: Yes
Instructions:
1. Download latest ClamAV version from clamav.net. 2. Stop ClamAV services. 3. Install updated version. 4. Update virus definitions. 5. Restart ClamAV services.
🔧 Temporary Workarounds
Disable HFS+ parsing
allConfigure ClamAV to skip HFS+ filesystem image scanning
clamscan --exclude-type=hfsplus
Input filtering
allBlock or filter HFS+ image files before they reach ClamAV scanners
🧯 If You Can't Patch
- Implement network segmentation to restrict what files reach ClamAV scanners
- Monitor ClamAV processes for hangs/crashes and implement automatic restart mechanisms
🔍 How to Verify
Check if Vulnerable:
Check ClamAV version with 'clamscan --version' and compare to affected versions (prior to 1.0.4, 1.2.2, 1.3.0)Check Version:
clamscan --versionVerify Fix Applied:
Verify version is 1.0.4, 1.2.2, 1.3.0 or later with 'clamscan --version'📡 Detection & Monitoring
Log Indicators:
- ClamAV process crashes
- Scanning timeouts
- Resource exhaustion alerts
- Repeated ClamAV service restarts
Network Indicators:
- Unusual HFS+ file submissions to scanning services
- Spike in scanning failures
SIEM Query:
source="clamav" AND (event="crash" OR event="timeout" OR "resource exhaustion")