cbcvebase.
CVE-2024-20328
published 2024-03-01

CVE-2024-20328: A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service…

PriorityP354medium5.3CVSS 3.1
AVLACLPRLUINSUCLILAL
EPSS
84.84%
99.7th percentile
A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands. ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Affected

16 ranges
VendorProductVersion rangeFixed in
ciscoclamav
ciscoclamav
clamavclamav>= 0 < 1.0.5+dfsg-1~deb12u11.0.5+dfsg-1~deb12u1
clamavclamav>= 0 < 1.0.5+dfsg-11.0.5+dfsg-1
clamavclamav>= 0 < 1.0.5+dfsg-11.0.5+dfsg-1
clamavclamav>= 0 < 1.0.5+dfsg-0ubuntu0.23.10.11.0.5+dfsg-0ubuntu0.23.10.1
clamavclamav>= 1.0.0 < 1.0.51.0.5
clamavclamav>= 1.2.0 < 1.2.21.2.2
debianclamav< clamav 1.0.5+dfsg-1~deb12u1 (bookworm)clamav 1.0.5+dfsg-1~deb12u1 (bookworm)
msrcazl3_clamav_0.105.2-4_on_azure_linux_3.0
msrcazl3_clamav_1.0.6-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_clamav_0.105.2-5_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

Detection & IOCsextracted from sources · hover to see the quote

  • The VirusEvent feature in ClamAV (clamd) is the attack surface; monitor for unexpected command execution spawned from the clamd process, particularly when filenames contain shell metacharacters or command-line sequences.
  • An attacker able to connect to ClamD (clamd socket/port) could trigger this vulnerability via the VirusEvent feature; monitor for unusual or unauthorized connections to the ClamD service.
  • The vulnerability is triggered when VirusEvent configuration options are active in clamd.conf; audit systems for VirusEvent directives and alert on child processes spawned by clamd with suspicious arguments.
  • ·The vulnerability only manifests when the VirusEvent feature is enabled in ClamAV configuration; systems without VirusEvent configured are not exploitable via this vector.
  • ·There are no workarounds available; the only remediation is upgrading to a patched ClamAV release (e.g., Debian fixed in 1.0.5+dfsg-1~deb12u1 for bookworm).
  • ·Exploitation requires local attacker access to submit a malicious filename to the ClamD service; the injected commands execute with the privileges of the ClamAV application service account.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.