cbcvebase.
CVE-2017-12377
published 2018-01-26

CVE-2017-12377: ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
11.80%
95.6th percentile
ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms in mew packet files sent to an affected device. A successful exploit could cause a heap-based buffer over-read condition in mew.c when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code on the affected device.

Affected

9 ranges
VendorProductVersion rangeFixed in
clamavclamav<= 0.99.2
clamavclamav>= 0 < 0.99.3~beta2+dfsg-10.99.3~beta2+dfsg-1
clamavclamav>= 0 < 0.99.3~beta2+dfsg-10.99.3~beta2+dfsg-1
clamavclamav>= 0 < 0.99.3~beta2+dfsg-10.99.3~beta2+dfsg-1
clamavclamav>= 0 < 0.99.3~beta2+dfsg-10.99.3~beta2+dfsg-1
clamavclamav>= 0 < 0.99.3+addedllvm-0ubuntu0.14.04.10.99.3+addedllvm-0ubuntu0.14.04.1
clamavclamav>= 0 < 0.99.3+addedllvm-0ubuntu0.16.04.10.99.3+addedllvm-0ubuntu0.16.04.1
debianclamav< clamav 0.99.3~beta2+dfsg-1 (bookworm)clamav 0.99.3~beta2+dfsg-1 (bookworm)
debiandebian_linux

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered by a malicious MEW packet file submitted for scanning; detection should focus on ClamAV processing of MEW-packed executables that cause a heap-based buffer over-read in mew.c
  • Affected versions are ClamAV 0.99.2 and prior; any deployment running these versions scanning untrusted files is at risk of DoS or code execution
  • ·The vulnerability scope is listed as local in the Debian tracker, meaning exploitation requires the malicious file to be submitted/accessible locally to the ClamAV scanner, despite the NVD description referencing a remote attacker sending files
  • ·The fix is available in ClamAV 0.99.3~beta2 and later; deployments should upgrade beyond 0.99.2 to remediate

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.