Multiple vulnerabilities in ClamAV
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-1386 CVE-2021-1405 CVE-2021-1404 CVE-2021-1252 |
| CWE-ID | CWE-427 CWE-476 CWE-125 CWE-835 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
ClamAV Client/Desktop applications / Antivirus software/Personal firewalls |
| Vendor | ClamAV |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
Updated: 03.05.2021
Added vulnerabilities #2-4, raised bulletin risk level from Low to High.
1) Insecure DLL loading
EUVDB-ID: #VU51964
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-1386
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the application loads DLL libraries in an insecure manner. A local user can place a malicious .dll file in certain location on the system and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability affects Windows installations only.
Install update from vendor's website.
ClamAV: 0.100.0 - 0.103.1
CPE2.3- cpe:2.3:a:clamav:clamav_antivirus:0.100.3:*:*:*:*:*:*:*
- cpe:2.3:a:clamav:clamav_antivirus:0.101.5:*:*:*:*:*:*:*
- cpe:2.3:a:clamav:clamav_antivirus:0.102.4:*:*:*:*:*:*:*
- cpe:2.3:a:clamav:clamav_antivirus:0.103.1:*:*:*:*:*:*:*
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-amp-imm-dll-tu79hvkO
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) NULL pointer dereference
EUVDB-ID: #VU52784
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-1405
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can send a specially crafted email to the server and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsClamAV: 0.10 - 0.103.1
CPE2.3 External linkshttps://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU52793
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-1404
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the PDF parsing module. A remote attacker can create a specially crafted PDF file, pass it to the application, trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsClamAV: 0.103.0 - 0.103.1
CPE2.3https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Infinite loop
EUVDB-ID: #VU52792
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-1252
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in the Excel XLM macro parsing module. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsClamAV: 0.103.0 - 0.103.1
CPE2.3https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
