Admins, patch your Cisco enterprise security solutions! (CVE-2023-20032)
Cisco has released security updates for several of its enterprise security and networking products, fixing (among other things):
- A critical vulnerability (CVE-2023-20032) in the ClamAV scanning library used by its Secure Endpoint, Secure Endpoint Private Cloud, and Secure Web Appliance, and
- High-risk vulnerabilities (CVE-2023-20009, CVE-2023-20075) affecting Email Security Appliance and Cisco Secure Email and Web Manager, proof-of-concept (PoC) exploit code for which is already available.
About the vulnerabilities
CVE-2023-20032 is a vulnerability in the HFS+ partition file parser of various versions of ClamAV, a free cross-platform antimalware toolkit maintained by Cisco Talos.
“This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition,” Cisco explained.
Versions of ClamAV including the fix – and a fix for CVE-2023-20052, an information leak flaw – have been released on Wednesday, but since the library is also used in the Secure Web Appliance and Secure Endpoint solutions and there is no workaround, those have to be updated as well.
The good news is that none of these flaws are being actively exploited.
But admins in charge of Email Security Appliances and Cisco Secure Email and Web Manager instances should implement the security updates quickly, to fix a privilege escalation (CVE-2023-20009) and command injection vulnerability (CVE-2023-20075).
Exploiting those requires attackers to get their hands on valid user credentials, but once they have them, they can exploit the flaws to elevate their privileges to root and execute arbitrary commands on an affected device. As noted before, a PoC exploit for both is available (though it’s unclear of whether it’s online or not).