CVE-2024-20328 - How a ClamAV VirusEvent Bug Lets Local Attackers Run Arbitrary Commands

ClamAV is a widely used open-source antivirus tool, found on everything from personal desktops to mail servers and enterprise systems. On June 5th, 2024, Cisco published details about a significant vulnerability in ClamAV's VirusEvent feature. Tracked as CVE-2024-20328, this local vulnerability could let an attacker execute any command they want, right on the target system.

Let's break down what happened and what you need to do.

The Heart of the Problem

This ClamAV bug boils down to unsafe handling of file names within the VirusEvent feature. VirusEvent is a handy mechanism for running custom scripts or commands whenever ClamAV finds malware. Unfortunately, its implementation didn't fully sanitize file names passed to the event handler.

If a local attacker could get a specially named file scanned, they could sneak in command line symbols as part of the filename. When ClamAV detects the file as malicious, it inserts the filename into a command—allowing the attacker's commands to piggyback in.

Suppose VirusEvent is set up like this in /etc/clamav/clamd.conf

VirusEvent /usr/local/bin/virus-alert.sh %f

The %f is replaced with the infected file's path. If an attacker uploads a file named

file.txt;id;#

The script might run a command resembling

/usr/local/bin/virus-alert.sh /home/user/file.txt;id;#

Bash interprets the semicolon as a command separator. This means after virus-alert.sh runs on the file, the system will execute id as a separate command, showing user and privilege info. Any valid shell command could be injected here.

Assume a script like this

# virus-alert.sh
#!/bin/sh
echo "Virus found at $1"

But ClamAV calls it as

/usr/local/bin/virus-alert.sh '/tmp/evil.txt;cat /etc/passwd;#'

This will result in

1. Alert script runs on '/tmp/evil.txt'
2. cat /etc/passwd runs, leaking sensitive info

Impact

This flaw only requires local access (but that could mean any user on a shared system, or a process running as a low-privilege user). The malicious filename is the attack vector—no fancy binary exploitation or memory corruption needed.

- Attack surface: Any system running ClamAV with VirusEvent enabled (defaults to off, but commonly used in automated environments)
- Impact: Arbitrary command execution with ClamAV's privileges (could be clamav, nobody, or another service user)

Fixes & Recommendations

ClamAV Versions Affected:

ClamAV 1..5

See the official ClamAV release notes and Cisco advisory for details.

How to patch:

Update ClamAV as soon as possible

sudo apt update
sudo apt install clamav

Or, install the latest version manually from the official source.

Minimize user access to directories scanned automatically by ClamAV.

3. Always sanitize user-supplied inputs in scripts tied to VirusEvent—but remember, only a patch fully resolves this bug.

Additional Resources

- NVD CVE-2024-20328
- ClamAV Blog: 1.2.2, 1.1.4, 1..5 Patch Releases
- Cisco Security Advisory

Summary Table

| CVE | Affected Feature | Attack Vector | Privilege Required | Impact | Patch Released | Workaround |
|---------|------------------|--------------|--------------------|------------------------|---------------|------------|
| 2024-20328 | VirusEvent | Local | Local user | Arbitrary command exec | Yes | No |


Stay updated, and always treat file names as untrusted data—even on antivirus scanners. This bug is a reminder that even security tools need secure code.

Timeline

Published on: 03/01/2024 21:15:07 UTC