cbcvebase.
CVE-2017-12379
published 2018-01-26

CVE-2017-12379: ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
12.78%
95.8th percentile
ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms in the message parsing function on an affected system. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a messageAddArgument (in message.c) buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition or execute arbitrary code on an affected device.

Affected

9 ranges
VendorProductVersion rangeFixed in
clamavclamav<= 0.99.2
clamavclamav>= 0 < 0.99.3~beta2+dfsg-10.99.3~beta2+dfsg-1
clamavclamav>= 0 < 0.99.3~beta2+dfsg-10.99.3~beta2+dfsg-1
clamavclamav>= 0 < 0.99.3~beta2+dfsg-10.99.3~beta2+dfsg-1
clamavclamav>= 0 < 0.99.3~beta2+dfsg-10.99.3~beta2+dfsg-1
clamavclamav>= 0 < 0.99.3+addedllvm-0ubuntu0.14.04.10.99.3+addedllvm-0ubuntu0.14.04.1
clamavclamav>= 0 < 0.99.3+addedllvm-0ubuntu0.16.04.10.99.3+addedllvm-0ubuntu0.16.04.1
debianclamav< clamav 0.99.3~beta2+dfsg-1 (bookworm)clamav 0.99.3~beta2+dfsg-1 (bookworm)
debiandebian_linux

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger point is the messageAddArgument function in message.c — monitor for buffer overflow conditions or crashes originating from this function during email scanning
  • Attack vector is a crafted email delivered to a system running ClamAV ≤ 0.99.2; inspect email scanning pipelines for malformed/oversized message arguments that trigger the vulnerable message parsing function
  • Vulnerable component is ClamAV versions 0.99.2 and prior; flag any deployment of these versions as at-risk
  • ·Debian scopes this vulnerability as 'local' despite the NVD description characterising the attacker as unauthenticated and remote; verify the actual attack surface in your deployment before prioritising
  • ·The fix is available in ClamAV 0.99.3~beta2 and later; systems still running 0.99.2 or earlier remain vulnerable

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.