According to Cisco, there is no proof that this vulnerability has been actively exploited.
A significant vulnerability in Cisco’s ClamAV open source antivirus programme has been patched. With a CVSSv3 ‘critical’ rating of 9.8 and tracked as CVE-2023-20032, Cisco warned the weakness might allow remote code execution on susceptible devices. Versions 1.0.0 and earlier, 0.105.1 and prior, and 0.103.7 were discovered to be affected by the problem.
The ClamAV HFS+ file parser issue, according to a Cisco advisory published on February 15, might allow a ““unauthenticated, remote attacker to execute arbitrary code” with the same rights as ClamAV’s scanning procedure. The business stated that the flaw may also cause a denial of service (DoS) scenario by crashing this process.
Cisco acknowledged that the vulnerability might put a number of products at danger. For endpoints, this applies to Secure Endpoint, formerly known as Advanced Malware Prevention (AMP). Linux, macOS, and Windows users are all impacted.
Furthermore impacted are Cisco’s Secure Endpoint Private cloud and Secure Web Appliance, formerly known as Web Security Appliance. The business emphasised that other important products, such as its Secure Email Gateway and Secure Email and Web Management, are unaffected by the vulnerability. No evidence suggests that the flaw has been actively used in the wild as of yet. To reduce risk, Cisco advised users to apply patches right away.
Clam AV is an open source antivirus programme that offers consumers antimalware security. The engine provides a variety of anti-virus options, such as endpoint security, email and web scanning, and so on.
According to Slintel statistics, ClamAV is utilised by more than 300 businesses worldwide. Although the engine was initially created for Unix, there are third-party versions available for users of other operating systems, including macOS, Linux, and Microsoft Windows.
“This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write,” the company said. “An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device.”
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory,” the firm said.