ClamAV Not So Calm [CVE-2024-20328]

We discussed this vulnerability during Episode 243 on 19 February 2024

A pretty classic command injection vulnerability but in ClamAV. Often seen (in my experience) running on mail-servers to scan incoming email attachments.

When a virus is detected clamd will execute a command:

VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"

Where %v is the identified virus name, and %f is the file name that was detected as a virus. In traditional form, clamd will replace the two string parameters without any sanitization on the filename at all. So including a ; within the filename can breakout and start a new shell command. While the issue isn’t very crazy, seeing it in an AV can be a little surprising, but these types of issues do exist even within security products, and dare I say security products often have poor security.