CVE-2023-20212
📋 TL;DR
A memory management logic error in ClamAV's AutoIt module allows remote attackers to cause denial of service by submitting crafted AutoIt files. This affects systems running vulnerable versions of ClamAV antivirus software, potentially disrupting scanning services.
💻 Affected Systems
- ClamAV
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Continuous exploitation could cause persistent DoS, preventing ClamAV from scanning files and potentially allowing malware to bypass detection during downtime.
Likely Case
Intermittent scanning process restarts causing temporary service disruption and potential scanning gaps.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and block exploitation attempts.
🎯 Exploit Status
Exploitation requires submitting a crafted AutoIt file to ClamAV for scanning, which can be done remotely without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.4, 1.2.2, or 1.3.0
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-dos-FTkhqMWZ
Restart Required: Yes
Instructions:
1. Download latest ClamAV version from official sources. 2. Stop ClamAV service. 3. Install updated version. 4. Restart ClamAV service. 5. Verify version with 'clamscan --version'.
🔧 Temporary Workarounds
Disable AutoIt scanning
allTemporarily disable AutoIt file scanning in ClamAV configuration
Edit clamd.conf: add 'ScanAutoIt no'
Edit freshclam.conf: ensure AutoIt updates disabled
Network filtering
linuxBlock AutoIt files at network perimeter before they reach ClamAV
iptables -A INPUT -m string --string "AutoIt" --algo bm -j DROP
Configure email/web gateways to block .au3 files
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to ClamAV services
- Deploy monitoring and alerting for ClamAV process restarts and unusual scanning patterns
🔍 How to Verify
Check if Vulnerable:
Run 'clamscan --version' and check if version is below 1.0.4, 1.2.2, or 1.3.0Check Version:
clamscan --versionVerify Fix Applied:
Confirm version is 1.0.4, 1.2.2, or 1.3.0+ with 'clamscan --version' and test scanning AutoIt files📡 Detection & Monitoring
Log Indicators:
- ClamAV process restarts in system logs
- Error messages related to AutoIt parsing in ClamAV logs
- Increased scanning failures for AutoIt files
Network Indicators:
- Unusual volume of AutoIt file transfers to systems running ClamAV
- Multiple scanning requests for AutoIt files from single sources
SIEM Query:
source="clamav" AND ("process restart" OR "AutoIt" OR "segmentation fault")