Keypoints
- ClamAV’s VirusEvent feature constructs and executes shell command strings including unsanitized filename and virus-name placeholders, enabling command injection.
- Exploitation is possible remotely via network (no privileges or user interaction required) by delivering specially crafted files or emails that are scanned by clamd.
- The vulnerability is rooted in the virusaction function where vfork() is used and the child process executes buffer_cmd via execle() without input sanitization.
- Example exploitation vectors include embedding commands in filenames, manipulating environment variables, abusing file paths, or chaining benign commands with payloads.
- Affected versions include ClamAV 0.104, 0.105, 1.0.0–1.0.4 (LTS), 1.1 (all), 1.2.0, and 1.2.1.
- SonicWall released an IPS signature (4281 ClamAV VirusEvent Command Injection) and recommends applying vendor patches, restricting access to trusted clients, and keeping systems updated.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Used to run arbitrary shell commands via the VirusEvent-created command string that includes unsanitized filenames. (‘the command buffer_cmd is executed in the shell without any sanitization, enabling arbitrary command execution’)
- [T1190] Exploit Public-Facing Application – The vulnerability can be exploited remotely over the network without privileges or user interaction by sending crafted files for scanning. (‘allowing potential exploitation from remote locations… without requiring any privileges or user interaction’)
- [T1203] Exploitation for Client Execution – A software flaw in VirusEvent’s handling of input allows crafted filenames to trigger execution of attacker-supplied commands. (‘a command injection vulnerability in the VirusEvent feature… allows for the execution of arbitrary code’)
Indicators of Compromise
- No IoCs Found
ClamAV’s VirusEvent executes configured commands using placeholders for the virus name (%v) and filename (%f). The virusaction implementation builds an environment (PATH plus variables) then forms a shell command (buffer_cmd) that directly incorporates the filename without sanitization; the child process created by vfork() calls execle() to run /bin/sh with that buffer, allowing attackers to inject shell metacharacters in filenames and execute arbitrary commands under the clamd service account. Demonstrations include filenames such as ‘# xmrig;whoami;’ which cause both the intended VirusEvent output and injected commands (e.g., whoami) to run, revealing the execution context.
Attackers can trigger this by delivering crafted files via email, upload directories, or any vector where clamd scans attacker-controlled filenames or paths. Common exploitation techniques shown are embedding commands in filenames, using command-substitution payloads to manipulate environment variables, inserting payloads into file paths to spawn reverse shells, and chaining benign commands with malicious downloads and execution. The critical code path centers on the vfork()/execle() sequence in virusaction where buffer_cmd is executed by a shell without escaping or validation of placeholders.
Mitigations are immediate: apply the vendor patch for CVE-2024-20328, deploy updated IPS signatures (SonicWall IPS: 4281), restrict access to ClamAV services to trusted clients, and maintain up-to-date security software and regular audits. These steps, combined with removing or hardening VirusEvent command usage (e.g., avoid shell interpolation of filenames), reduce the risk of remote command execution through crafted filenames.
Read more: https://blog.sonicwall.com/en-us/2024/02/clamav-clamd-service/