Bug 27020 - clamav new security issues CVE-2020-3350 and CVE-2020-3481
Summary: clamav new security issues CVE-2020-3350 and CVE-2020-3481
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-29 23:08 CEST by David Walser
Modified: 2020-08-18 19:43 CEST (History)
6 users (show)

See Also:
Source RPM: clamav-0.102.3-1.mga7.src.rpm
CVE: CVE-2020-3350, CVE-2020-3481
Status comment:


Attachments

Description David Walser 2020-07-29 23:08:27 CEST
Upstream has released ClamAV 0.102.4 on July 16, fixing security issues:
https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html

Ubuntu has issued an advisory for this on July 27:
https://ubuntu.com/security/notices/USN-4435-1

Mageia 7 is also affected.
David Walser 2020-07-29 23:08:46 CEST

Whiteboard: (none) => MGA7TOO
CC: (none) => mageia, nicolas.salguero

Comment 1 Nicolas Salguero 2020-07-30 09:33:57 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A vulnerability in the endpoint software of Cisco AMP for Endpoints and Clam AntiVirus could allow an authenticated, local attacker to cause the running software to delete arbitrary files on the system. The vulnerability is due to a race condition that could occur when scanning malicious files. An attacker with local shell access could exploit this vulnerability by executing a script that could trigger the race condition. A successful exploit could allow the attacker to delete arbitrary files on the system that the attacker would not normally have privileges to delete, producing system instability or causing the endpoint software to stop working. (CVE-2020-3350)

A vulnerability in the EGG archive parsing module in Clam AntiVirus (ClamAV) Software versions 0.102.0 - 0.102.3 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a null pointer dereference. An attacker could exploit this vulnerability by sending a crafted EGG file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition. (CVE-2020-3481)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481
https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html
https://ubuntu.com/security/notices/USN-4435-1
========================

Updated packages in core/updates_testing:
========================
clamav-0.102.4-1.mga7
clamd-0.102.4-1.mga7
clamav-milter-0.102.4-1.mga7
clamav-db-0.102.4-1.mga7
lib(64)clamav9-0.102.4-1.mga7
lib(64)clamav-devel-0.102.4-1.mga7

from SRPM:
clamav-0.102.4-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 7
Source RPM: clamav-0.102.3-1.mga8.src.rpm => clamav-0.102.3-1.mga7.src.rpm
CVE: (none) => CVE-2020-3350, CVE-2020-3481

Comment 2 Herman Viaene 2020-08-03 18:56:02 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bugs 26653 and 25754 for testing
# freshclam
ClamAV update process started at Mon Aug  3 14:03:08 2020
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
TTL: 1800
fc_dns_query_update_info: Software version from DNS: 0.102.4
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of daily found: daily.cvd.
query_remote_database_version: daily.cvd version from DNS: 25892
daily database available for update (local version: 25888, remote version: 25892)
Current database is 4 versions behind.
Downloading database patch # 25889...
Retrieving https://database.clamav.net/daily-25889.cdiff
downloadFile: Download source:      https://database.clamav.net/daily-25889.cdiff
downloadFile: Download destination: ./clamav-0385651132a26463947b762f77446a9e.tmp
*   Trying 104.16.219.84:443...
* Connected to database.clamav.net (104.16.219.84) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Apr  6 00:00:00 2020 GMT
*  expire date: Oct  9 12:00:00 2020 GMT
*  subjectAltName: host "database.clamav.net" matched cert's "database.clamav.net"
*  issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xec8a60)
> GET /daily-25889.cdiff HTTP/2
Host: database.clamav.net
user-agent: ClamAV/0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
accept: */*
connection: close
and a lot more ......
$ clamscan -vr
Scanning /home/tester7/Documents/.cache/www.mageia.orgen,8a9a589ca2daf26b2d84287c89de41fa
/home/tester7/Documents/.cache/www.mageia.orgen,8a9a589ca2daf26b2d84287c89de41fa: OK
Scanning /home/tester7/Documents/postjdbc.txt
/home/tester7/Documents/postjdbc.txt: OK
Scanning /home/tester7/Documents/get3.py
/home/tester7/Documents/get3.py: OK
Scanning /home/tester7/Documents/helloworld$1.class
/home/tester7/Documents/helloworld$1.class: OK
Scanning /home/tester7/Documents/helloworld.java
/home/tester7/Documents/helloworld.java: OK
Scanning /home/tester7/Documents/getown.py
/home/tester7/Documents/getown.py: OK
Scanning /home/tester7/Documents/postg.odb
/home/tester7/Documents/postg.odb: OK
Scanning /home/tester7/Documents/.directory
and more .....
$ clamscan -vr /media/win_c  --windows partition
Scanning /media/win_c/$Recycle.Bin/S-1-5-18/desktop.ini
/media/win_c/$Recycle.Bin/S-1-5-18/desktop.ini: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-1781323582-2267604969-619860376-500/desktop.ini
/media/win_c/$Recycle.Bin/S-1-5-21-1781323582-2267604969-619860376-500/desktop.ini: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1001/desktop.ini
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1001/desktop.ini: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$IIM19AF.lnk
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$IIM19AF.lnk: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$IRT1XON.lnk
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$IRT1XON.lnk: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$IT8G5MV.lnk
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$IT8G5MV.lnk: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$RIM19AF.lnk
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$RIM19AF.lnk: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$RRT1XON.lnk
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$RRT1XON.lnk: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$RT8G5MV.lnk
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/$RT8G5MV.lnk: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/desktop.ini
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1002/desktop.ini: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1003/desktop.ini
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-1003/desktop.ini: OK
Scanning /media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-500/desktop.ini
/media/win_c/$Recycle.Bin/S-1-5-21-3422449514-3301129872-3917169998-500/desktop.ini: OK
Scanning /media/win_c/$Windows.~WS/Sources/Panther/diagerr.xml
/media/win_c/$Windows.~WS/Sources/Panther/diagerr.xml: OK
Scanning /media/win_c/$Windows.~WS/Sources/Panther/diagwrn.xml
/media/win_c/$Windows.~WS/Sources/Panther/diagwrn.xml: OK
Scanning /media/win_c/$Windows.~WS/Sources/Panther/DlTel-Merge.etl
/media/win_c/$Windows.~WS/Sources/Panther/DlTel-Merge.etl: OK
and loads of it.

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2020-08-04 08:47:34 CEST
At the end of the /home/tester7/Documents:

Known viruses: 8328734
Engine version: 0.102.4
Scanned directories: 2
Scanned files: 17
Infected files: 0
Data scanned: 0.29 MB
Data read: 0.11 MB (ratio 2.64:1)
Time: 18.889 sec (0 m 18 s)

The Windows scan ran for 10h 48min.


# systemctl -l status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/

# systemctl start clamav-daemon

# systemctl -l status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-08-04 08:45:47 CEST; 7s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
 Main PID: 22254 (clamd)
    Tasks: 1 (limit: 4915)
   Memory: 742.5M
   CGroup: /system.slice/clamav-daemon.service
           └─22254 /usr/sbin/clamd --foreground=true

Aug 04 08:45:47 mach5.hviaene.thuis systemd[1]: Started Clam AntiVirus userspace daemon.

All OK to me

Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-08-11 02:09:11 CEST
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2020-08-18 17:23:21 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-08-18 19:43:00 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0322.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.