On February 15, 2023, a serious security vulnerability was published in ClamAV, the popular open-source antivirus engine. Unauthenticated attackers could exploit it remotely, leaking sensitive information from the system running the scan. This post dives into how this happened, how the vulnerability works, and how you can protect your systems.
What is ClamAV?
ClamAV is an open-source antivirus toolkit that runs on Linux, Windows, and macOS. It’s widely used on mail gateways, file servers, and in web apps to scan files for viruses and malware.
.103.7 and earlier
- Impact: Allow an unauthenticated, remote attacker to access sensitive contents of accessible files on the system running ClamAV.
Technical Root: XML External Entity (XXE) Injection due to unsafe XML entity substitution.
Original announcement and advisory:
- Cisco Talos CVE-2023-20052
- NIST NVD Listing
The Vulnerability Explained in Simple Terms
ClamAV uses a DMG file parser that reads Apple DMG disk image files. Some DMGs include an XML plist file called AOModel, which ClamAV’s parser loads to scan for threats. Under the hood, this XML parsing was done insecurely—it allowed external entities in XML to be resolved.
What is XML External Entity (XXE) Injection?
When XML parsers are configured incorrectly, attackers can inject an External Entity_Processing)—references in XML that the parser expands by reading local files or even remote content.
In this case:
An attacker sends a DMG to ClamAV’s scan endpoint. As ClamAV parses the internal XML, the attacker’s XML tricks ClamAV into reading a file on its own filesystem, embedding its contents in the XML output that’s eventually exposed to the attacker.
Add an XXE Reference:
The XML references a file they want to steal, for example /etc/passwd.
Sensitive Data Leaks:
The exploited parser puts the contents of the file into the scan output or log data, which the attacker can access.
Here’s how a malicious XML (plist) inside a DMG might look
<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE plist [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<plist version="1.">
<dict>
<key>Payload</key>
<string>&xxe;</string>
</dict>
</plist>
What happens here?
- The <!ENTITY xxe SYSTEM "file:///etc/passwd"> line tells the XML parser to define an entity called xxe that loads /etc/passwd
- Anywhere &xxe; is used in the XML, the parser will replace it with the contents of /etc/passwd
- If ClamAV exposes its scan report or an error to the attacker (or even in logs), the attacker can see the contents
PoC: Minimal Exploit Using clamscan
Suppose you save the above XML as payload.plist and insert it into a valid DMG file as the AOModel plist.
Then you run
clamscan --detect-pua=yes malicious.dmg
If you have access to ClamAV’s output (for example via web app or logs), you might see it containing the contents of /etc/passwd.
Why is This Dangerous?
- Remote Attack: ClamAV is often used to scan user-uploaded files. Attackers don’t need a user account to send a crafted DMG file.
- Sensitive File Access: Any file the clamav process user can read (like configs, SSH keys, secret keys, db credentials) can leak.
- Cloud, Mailgateways, APIs: If you process files in automated antivirus workflows, you are at risk.
How to Fix It
Patch Now:
ClamAV's fix disables XML entity expansion in the DMG parser.
References:
- Cisco Security Advisory
- ClamAV Release Notes
Other Tips:
Final Thoughts
CVE-2023-20052 is a reminder that even core security tools like antivirus scanners can be a target for attack. If your ClamAV install is out of date, it could be a data breach waiting to happen. Always patch promptly, keep an eye on ClamAV security bulletins, and run security software with strict permissions.
More Resources
- OWASP XXE Cheat Sheet
- ClamAV Security Updates
Timeline
Published on: 03/01/2023 08:15:00 UTC
Last modified on: 03/13/2023 13:52:00 UTC