CVE-2024-24245
📋 TL;DR
A local privilege escalation vulnerability in ClamXAV's helper tool component allows attackers with local access to gain elevated privileges. This affects macOS users running ClamXAV antivirus software versions 3.1.2 through 3.6.1. The vulnerability requires local access to the system to exploit.
💻 Affected Systems
- ClamXAV
📦 What is this software?
Clamxav by Clamxav
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains root privileges, enabling complete system compromise, data theft, persistence mechanisms, and disabling of security controls.
Likely Case
Malicious local user or malware with user-level access escalates to administrative privileges to install additional malware, modify system configurations, or access protected data.
If Mitigated
With proper access controls and monitoring, exploitation attempts would be detected and contained before significant damage occurs.
🎯 Exploit Status
Local access required. Based on CWE-250 (Execution with Unnecessary Privileges), exploitation likely involves manipulating the helper tool to perform privileged operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.2
Vendor Advisory: https://www.clamxav.com/version-history/
Restart Required: Yes
Instructions:
1. Open ClamXAV application. 2. Go to ClamXAV menu > Check for Updates. 3. Download and install version 3.6.2 or later. 4. Restart the system to ensure all components are updated.
🔧 Temporary Workarounds
Disable ClamXAV Helper Tool
allTemporarily disable the vulnerable helper tool component while awaiting patch
sudo launchctl unload /Library/LaunchDaemons/com.clamxav.clamxav-helper.plist
sudo rm /Library/PrivilegedHelperTools/com.clamxav.clamxav-helper
Remove ClamXAV
allUninstall ClamXAV completely if not essential
sudo /Applications/ClamXAV.app/Contents/Resources/uninstall.sh
🧯 If You Can't Patch
- Restrict local user access to affected systems, especially untrusted users
- Implement strict privilege separation and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check ClamXAV version in application > About ClamXAV. If version is between 3.1.2 and 3.6.1 inclusive, system is vulnerable.Check Version:
defaults read /Applications/ClamXAV.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
Verify ClamXAV version is 3.6.2 or later in About ClamXAV dialog.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts in system logs
- ClamXAV helper tool executing with unexpected parameters
- sudo or authorization events related to ClamXAV processes
Network Indicators:
- None - local privilege escalation only
SIEM Query:
process_name:"clamxav-helper" AND (parent_process NOT IN ("ClamXAV", "launchd")) OR process_name:"clamxav-helper" AND command_line CONTAINS suspicious_parameters