CVE-2023-20052 - ClamAV Scanning Library Vulnerability: DMG File Parser XML Entity Injection in Versions 1.. and Earlier, .105.1 and Earlier, and .103.7 and Earlier

On February 15, 2023, a new vulnerability was disclosed in ClamAV, the popular open-source antivirus software. This security threat (CVE-2023-20052) is specific to the DMG file parser in ClamAV versions 1.. and earlier, .105.1 and earlier, and .103.7 and earlier. The vulnerability allows an unauthenticated, remote attacker to access sensitive information on affected devices.

The Vulnerability

The vulnerability CVE-2023-20052 is due to XML entity substitution enabled, which may cause an XML External Entity (XXE) injection, giving attackers the ability to leak bytes from any readable file within the ClamAV scanning process. The affected versions are ClamAV 1.. and earlier, .105.1 and earlier, and .103.7 and earlier.

A simple code snippet to demonstrate the vulnerability may look like this

<!DOCTYPE foo [
 <!ENTITY file SYSTEM "file:///etc/passwd">
]>
<foo>&file;</foo>

This XXE payload would, when included within a crafted DMG file and scanned by a vulnerable ClamAV version, leak the contents of /etc/passwd to the attacker.

Exploit Details

An attacker could exploit CVE-2023-20052 by creating a DMG file containing a malicious XML payload, such as the one shown above, and submitting it to be scanned by ClamAV on an affected device. If successful, the attacker would be able to access sensitive data from any readable file by the ClamAV scanning process.

Original References

The vulnerability CVE-2023-20052 was first disclosed on the Common Vulnerabilities and Exposures (CVE) database, which can be found here: CVE-2023-20052

Additional information and details on the ClamAV scanning library vulnerability can also be found on the ClamAV's official website: ClamAV Versions Affected

Recommended Actions

Users and administrators of ClamAV afflicted by this vulnerability are advised to upgrade their software to the latest available version. The ClamAV team is actively working to patch the affected versions.

To upgrade ClamAV, please follow the instructions found in ClamAV's official documentation: Upgrading ClamAV

Stay vigilant and keep your software up-to-date to avoid potential security risks.

Timeline

Published on: 03/01/2023 08:15:00 UTC
Last modified on: 03/13/2023 13:52:00 UTC