Cyber Resilience

CVE-2023-20032

Critical

Published: 01 March 2023

Published
01 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0712 91.7th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20032 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Clamav Clamav. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-20032 is a heap buffer overflow vulnerability in the HFS+ partition file parser within the ClamAV scanning library, caused by a missing buffer size check. It affects ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier, and carries a CVSS 3.1 score of 9.8 with associated CWEs 120 and 787.

An unauthenticated remote attacker can exploit the flaw by submitting a specially crafted HFS+ partition file for scanning on an affected system. Successful exploitation grants arbitrary code execution with the privileges of the ClamAV process or triggers a denial-of-service condition by crashing the scanner.

The referenced Cisco Security Advisory describes the vulnerability and directs users to the ClamAV blog for further details on affected releases and remediation steps.

EPSS for this CVE rose from lower values to a peak of 0.1032, indicating increased exploitation interest after public disclosure before receding to the current score of 0.0712.

EU & UK References

Vulnerability details

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote…

more

attacker to execute arbitrary code. This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition. For a description of this vulnerability, see the ClamAV blog ["https://blog.clamav.net/"].

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
secure endpoint
≤ 1.20.2 · ≤ 1.21.1 · ≤ 7.5.9
cisco
secure endpoint private cloud
≤ 3.6.0
cisco
web security appliance
≤ 12.5.6 · 14.0.0 — 14.0.4-005 · 14.5.0 — 14.5.1-013
clamav
clamav
1.0.0 · ≤ 0.103.7 · 0.104.0 — 0.105.1
stormshield
stormshield network security
3.0.0 — 3.7.35 · 3.8.0 — 3.11.23 · 4.3.0 — 4.3.17

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References