CVE-2020-37167: ClamAV ClamBC

Patch now - CVE-2020-37167 is a critical code execution vulnerability in ClamAV bytecode interpreter (versions before 0.102.5+ and 0.103.2+) that lets unauthenticated attackers run arbitrary code or crash the service via a crafted function name.

Overview

A critical vulnerability has been identified in the Clam AntiVirus (ClamAV) software, specifically within its bytecode interpreter component. This component is used to analyze and execute specialized detection scripts. The flaw resides in how the software processes the names of functions within these scripts, allowing for improper manipulation.

Vulnerability in Simple Terms

Think of ClamAV’s bytecode interpreter as a specialized reader for a set of instructions. Each instruction has a title (the function name). Due to a weakness in how these titles are checked and formatted, an attacker can craft a malicious set of instructions with a specially designed title. This malformed title can trick the interpreter into misreading the subsequent instructions, potentially leading it to execute harmful actions it was never supposed to perform, rather than simply scanning for threats.

Potential Impact

The severity of this vulnerability is rated as CRITICAL (CVSS Score: 9.8). If successfully exploited, this flaw could allow an attacker to:

• Execute Arbitrary Code: Run malicious commands or programs on the system running ClamAV, potentially taking full control of the server.
• Cause a Denial-of-Service (Crash): Disrupt the ClamAV service, causing it to stop scanning files and leaving the system unprotected.
• Bypass Detection: The core function of the antivirus could be undermined during an attack.

This impacts any system using a vulnerable version of ClamAV for scanning files, which is common in mail gateways, file servers, and endpoint protection setups.

Remediation and Mitigation Advice

Immediate action is required to secure affected systems.

1. Update ClamAV Immediately: This is the primary and most effective solution. Upgrade ClamAV to a patched version.

   • For ClamAV 0.102.5, upgrade to 0.102.5+
   • For ClamAV 0.103.0, upgrade to 0.103.2+

2. Update Signature Databases: Ensure your ClamAV virus definition databases are updated. The patched versions contain updated bytecode signatures that are not susceptible to this interpreter flaw.

3. Restrict Bytecode Usage (If Update is Delayed): As a temporary mitigation, you can disable the bytecode interpreter. However, this will significantly reduce ClamAV’s detection capabilities for complex threats. This can typically be done by setting Bytecode false in your clamd.conf and freshclam.conf configuration files. This is not a recommended long-term solution.

Action Summary: Check your ClamAV version and upgrade to the patched releases without delay. Confirm that your automated update processes for both the software and virus definitions are functioning correctly.