Information about the ClamAV update

Release date: 2023-02-24

This update affects the IMPEX station. The update fixes two security issues in the ClamAV engine (1 2), CVE-2023-20032 and CVE-2023-20052. As far as we know there are no publicly known weaponized exploits for these vulnerabilities.

Overview

We evaluated the vulnerabilities in the context of the IMPEX product and decided we need to make an out-of-bound update, pulling in the upstream update ahead of the regular patch cycle to limit exposure for our customers. The upstream package fix was released 2023-02-23 which we immediately started testing.

Customer action

No customer action is needed, all systems will pull down updates automatically and apply them every night as well as restart necessary processes.

Details

The sandbox for ClamAV that comes with CentOS is locking down file system access but still allows for network traffic. This will be addressed in the upcoming IMPEX 3.4 release by locking it down further, including turning off all network access. Until then we limit the vulnerable window by releasing this interim release. The worst case scenario for this bug would be someone scanning a USB drive with a malicious crafted HFS+ image on it that exploited the clamd process and then continued to exfiltrate all scanned files through the network. Since it cannot gain file system access it cannot gain persistence and would lose foothold during the nightly reboot.

  1. https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html 

  2. https://github.com/google/security-research/security/advisories/GHSA-r6g3-3wqj-m3c8