Debian DLA-3544-1 : clamav - LTS security update

2023-08-2800:00:00

www.tenable.com

debian

clamav

vulnerability

hfs+

filesystem

denial of service

remote attacker

unauthenticated

nessus

cve-2023-20197

lts security update

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.8%

JSON

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3544 advisory.

A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources. For a description of this vulnerability, see the ClamAV blog . (CVE-2023-20197)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3544. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(180207);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/08");

  script_cve_id("CVE-2023-20197");
  script_xref(name:"IAVB", value:"2023-B-0062-S");

  script_name(english:"Debian DLA-3544-1 : clamav - LTS security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3544
advisory.

  - A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could
    allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected
    device. This vulnerability is due to an incorrect check for completion when a file is decompressed, which
    may result in a loop condition that could cause the affected software to stop responding. An attacker
    could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on
    an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to
    stop responding, resulting in a DoS condition on the affected software and consuming available system
    resources. For a description of this vulnerability, see the ClamAV blog . (CVE-2023-20197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050057");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/clamav");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3544");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-20197");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/clamav");
  script_set_attribute(attribute:"solution", value:
"Upgrade the clamav packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-20197");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/08/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/08/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-daemon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-freshclam");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-milter");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav-testfiles");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamdscan");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libclamav-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libclamav9");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '10.0', 'prefix': 'clamav', 'reference': '0.103.9+dfsg-0+deb10u1'},
    {'release': '10.0', 'prefix': 'clamav-base', 'reference': '0.103.9+dfsg-0+deb10u1'},
    {'release': '10.0', 'prefix': 'clamav-daemon', 'reference': '0.103.9+dfsg-0+deb10u1'},
    {'release': '10.0', 'prefix': 'clamav-docs', 'reference': '0.103.9+dfsg-0+deb10u1'},
    {'release': '10.0', 'prefix': 'clamav-freshclam', 'reference': '0.103.9+dfsg-0+deb10u1'},
    {'release': '10.0', 'prefix': 'clamav-milter', 'reference': '0.103.9+dfsg-0+deb10u1'},
    {'release': '10.0', 'prefix': 'clamav-testfiles', 'reference': '0.103.9+dfsg-0+deb10u1'},
    {'release': '10.0', 'prefix': 'clamdscan', 'reference': '0.103.9+dfsg-0+deb10u1'},
    {'release': '10.0', 'prefix': 'libclamav-dev', 'reference': '0.103.9+dfsg-0+deb10u1'},
    {'release': '10.0', 'prefix': 'libclamav9', 'reference': '0.103.9+dfsg-0+deb10u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'clamav / clamav-base / clamav-daemon / clamav-docs / clamav-freshclam / etc');
}

VendorProductVersionCPE
debiandebian_linuxclamav-basep-cpe:/a:debian:debian_linux:clamav-base
debiandebian_linuxclamavp-cpe:/a:debian:debian_linux:clamav
debiandebian_linuxlibclamav-devp-cpe:/a:debian:debian_linux:libclamav-dev
debiandebian_linuxclamav-milterp-cpe:/a:debian:debian_linux:clamav-milter
debiandebian_linux10.0cpe:/o:debian:debian_linux:10.0
debiandebian_linuxlibclamav9p-cpe:/a:debian:debian_linux:libclamav9
debiandebian_linuxclamav-docsp-cpe:/a:debian:debian_linux:clamav-docs
debiandebian_linuxclamav-freshclamp-cpe:/a:debian:debian_linux:clamav-freshclam
debiandebian_linuxclamav-daemonp-cpe:/a:debian:debian_linux:clamav-daemon
debiandebian_linuxclamav-testfilesp-cpe:/a:debian:debian_linux:clamav-testfiles

Vendor	Product	Version	CPE
debian	debian_linux	clamav-base	p-cpe:/a:debian:debian_linux:clamav-base
debian	debian_linux	clamav	p-cpe:/a:debian:debian_linux:clamav
debian	debian_linux	libclamav-dev	p-cpe:/a:debian:debian_linux:libclamav-dev
debian	debian_linux	clamav-milter	p-cpe:/a:debian:debian_linux:clamav-milter
debian	debian_linux	10.0	cpe:/o:debian:debian_linux:10.0
debian	debian_linux	libclamav9	p-cpe:/a:debian:debian_linux:libclamav9
debian	debian_linux	clamav-docs	p-cpe:/a:debian:debian_linux:clamav-docs
debian	debian_linux	clamav-freshclam	p-cpe:/a:debian:debian_linux:clamav-freshclam
debian	debian_linux	clamav-daemon	p-cpe:/a:debian:debian_linux:clamav-daemon
debian	debian_linux	clamav-testfiles	p-cpe:/a:debian:debian_linux:clamav-testfiles