| Developers: | Cisco Systems, Sourcefire |
| Last Release Date: | 2023/02/17 |
| Technology: | Information Security - Antiviruses |
Content |
Main article: Antiviruses
ClamAV is an open source cross-platform antivirus that is primarily used to scan mail on public mail servers.
2025: Identify two critical vulnerabilities to gain control of the system
Two critical vulnerabilities were discovered in the ClamAV antivirus engine (CVE-2025-20260 and CVE-2025-20234), allowing attackers to gain control over the system or even disable it. This was announced on June 20, 2025 by representatives of the Gazinformservice company.
 | "In recent years, vulnerabilities in popular antivirus engines have become an increasingly serious threat to organizations, and the situation with ClamAV is no exception. Both identified vulnerabilities in this version of ClamAV can have critical consequences for, "explained safety Ekaterina Edemskaya, an analyst engineer at Gazinformservice. - The first of them, CVE-2025-20260, allows an attacker to cause a buffer overflow through incorrectly processed PDF ones - files if the antivirus is configured to scan large files. The second vulnerability, CVE-2025-20234, although less critical on the CVSS scale (5.3), can lead to a denial of service () DoS when processing UDF files. " |  |
The expert emphasized that an attack through the CVE-2025-20260 can only be successfully carried out using specific settings, often found in corporate and high-performance environments. This makes the vulnerability especially dangerous for organizations working with large amounts of data, such as archives or e-mail attachments.
Edemskaya noted that through a second vulnerability, CVE-2025-20234, an attacker can send a specially prepared UDF file, which will cause the scan process to fail and weaken the overall security of the system. Although the vulnerability does not provide remote code execution, it can significantly affect operational activities, especially in cases where ClamAV is used as the main means of protection when working with large amounts of data.
2023: Identifying CVE-2023-20032 and CVE-2023-20052 vulnerabilities
On February 17, 2023, it became known that two dangerous holes were identified in Cisco's free ClamAV antivirus package. With their help, an attacker can steal any files from the victim's computer or execute arbitrary code on it. You will not need physical access to the machine - you can exploit the "holes" remotely. Both vulnerabilities were discovered by information security researcher Simon Scanell of Google Corporation.
As reported, the holes were closed by Cisco specialists in ClamAV versions 1.01, 0.150.3 and 0.103.8. Updated builds of the program can be downloaded from the official website of the project.
The first of the vulnerabilities discovered by experts is tracked under the CVE-2023-20032 identifier, its danger was estimated by experts at 9.8 points out of 10 possible. According to information published on the Cisco portal, the flaw affects the HFS + file parser.
HFS + files contain disk images based on the HFS + (Hierarchical File System Plus) file system developed by Apple and used in the macOS operating system.
To check such an image for malware, the antivirus must first "unpack" it, just as it does with archives, for example, ZIP or RAR.
The HFS + ClamAV image parser - the antivirus module that is responsible for "unpacking" - contains a vulnerability that makes it possible for an attacker to execute arbitrary code.
The vulnerability was caused by an error by developers who did not provide for checking the size of the buffer in the heap (heap), which allows an attacker to write to an area outside the buffer and cause code execution with the privileges of the ClamAV process or cause an abnormal stop of the process itself, thereby putting the system in a denial of service (DoS condition) state.
As explained in Cisco, for this the hacker needs to deliver the HFS + file formed according to special rules to the victim's system. The trigger for the start of the attack will be an antivirus scan of this file.
The ClamAV blog also mentions another hole - CVE-2023-20052 (danger - 5.3 points). Like CVE-2023-20032, it is related to parsers and allows leak any files on the machine that the ClamAV process has access to. However, this time the parser of DMG image files is "to blame," which is also mainly used in. operating system macOS The attack begins with "feeding" the antivirus a specially designed DMG file[1]
2007: Project buyback
In 2007, the project was purchased from its key developers by Sourcefire, which subsequently - in 2013 - came under the control of Cisco.
Notes
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |