Three vulnerabilities in anti-virus software ClamAV

According to a report on the Full Disclosure security mailing list, the recently released version 0.92 of ClamAV, the open source anti-virus software, contains three vulnerabilities which allow users logged onto a system to escalate their privileges. The causes include a race condition when creating temporary files. If an attacker succeeds in guessing a pseudo-randomly generated name and creating a file with the same name containing specially crafted content in the folder used by ClamAV, it is possible to obtain write access to other files with the privileges of the user calling ClamAV - in the worst case ClamAV might have been started by root. A detailed description is given in the original report.

In addition, ClamAV fails to check files which are Base64 UUEncoded. This allows malware to be smuggled past the anti-virus scanner. This is not a programming error as such: ClamAV simply does not have a function for scanning files of this type. Finally there is also a problem with Sigtool, a tool included in ClamAV. With "symlink attacks" it is in certain cases possible to overwrite files. No update for the bugs described is currently available, although there is a suggestion on the user mailing list for a workaround for dealing with the race condition. Overall the risk posed by these three vulnerabilities can be viewed as relatively low.

In a comparison with 16 other products in tests recently carried out by the c't editorial team, the Windows port of ClamWin failed to impress. Only CA's anti-virus software performed worse. The complete test, "17 Antivirus-Programme für Windows," can be found (in German only at present) in the latest 01/08 edition of c't magazine.

See also:

• TK53 Advisory #2: Multiple vulnerabilities in ClamAV, security advisory from Lolek
• [Clamav-users] TK53 Advisory #2: Multiple vulnerabilities, discussion concerning the vulnerabilities
• ClamAV 0.92 fixes security vulnerability, report by heise Security

(mba)