-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.4695
  ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability
                              17 August 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Secure Endpoint Connector for Linux
                   Secure Endpoint Connector for MacOS
                   Secure Endpoint Connector for Windows
                   Secure Endpoint Private Cloud
Publisher:         Cisco Systems
Operating System:  Cisco
                   Windows
                   Linux variants
                   macOS
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-20197  

Original Bulletin: 
   https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-rNwNEEee

Comment: CVSS (Max):  7.5 CVE-2023-20197 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: Cisco Systems
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-clamav-rNwNEEee
First Published: 2023 August 16 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available
Cisco Bug IDs:   CSCwf39307 CSCwf39308 CSCwf39309 CSCwf39310
CVE Names:       CVE-2023-20197

Summary

  o A vulnerability in the filesystem image parser for Hierarchical File System
    Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to
    cause a denial of service (DoS) condition on an affected device.

    This vulnerability is due to an incorrect check for completion when a file
    is decompressed, which may result in a loop condition that could cause the
    affected software to stop responding. An attacker could exploit this
    vulnerability by submitting a crafted HFS+ filesystem image to be scanned
    by ClamAV on an affected device. A successful exploit could allow the
    attacker to cause the ClamAV scanning process to stop responding, resulting
    in a DoS condition on the affected software and consuming available system
    resources.

    For a description of this vulnerability, see the ClamAV blog .

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-rNwNEEee

Affected Products

  o The Vulnerable Products section includes Cisco bug IDs for each affected
    product. The bugs are accessible through the Cisco Bug Search Tool and
    contain additional platform-specific information, including workarounds (if
    available) and fixed software releases.

    Vulnerable Products

    The following table lists Cisco products that are affected by the
    vulnerability that is described in this advisory. Customers should refer to
    the associated Cisco bug IDs for further details.

    Affected Cisco       CVSS     Security     Cisco Bug  First Fixed Release
    Software Platform    Base     Impact       ID
                         Score    Rating
    Secure Endpoint      5.3      Medium       CSCwf39307 1.22.0
    Connector for Linux
    Secure Endpoint      5.3      Medium       CSCwf39308 1.22.0
    Connector for MacOS
    Secure Endpoint                                       7.5.13.21586
    Connector for        7.5      High         CSCwf39309 8.1.7.21585
    Windows
    Secure Endpoint      7.5      High         CSCwf39310 3.8.0 or later with
    Private Cloud                                         updated connectors

    Cisco products may be impacted differently depending on implementation and
    usage of ClamAV. For information the effects of this vulnerability on
    specific Cisco products, see the Details section.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Firepower Threat Defense Software
       Secure Email Appliance, formerly Email Security Appliance
       Secure Web Appliance

    Attention: Simplifying the Cisco portfolio includes the renaming of
    security products under one brand: Cisco Secure. For more information, see
    Meet Cisco Secure .

Details

  o Details about the potential effects of the vulnerability on each platform
    are as follows:

    Impacts of ClamAV DoS Vulnerability on Windows Platforms

    The Security Impact Rating (SIR) for this vulnerability is High only for
    Windows-based platforms because those platforms run the ClamAV scanning
    process as a service that could enter a loop condition, which would consume
    available CPU resources and delay or prevent further scanning operations.
    See the Assessing Security Risk section of the Cisco Security Vulnerability
    Policy for information about vulnerability scoring and SIRs.

    A vulnerability in the HFS+ filesystem image parser of ClamAV could allow
    an attacker to cause Cisco Secure Endpoint Connector for Windows to enter a
    loop and stop responding, resulting in a DoS condition. Cisco Secure
    Endpoint Connector for Windows, which is distributed from Cisco Secure
    Endpoint Private Cloud, is affected by this vulnerability.

    Bug ID(s): CSCwf39309
    Security Impact Rating (SIR): High
    CVSS Base Score: 7.5
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Impacts of ClamAV DoS Vulnerability on Linux and MacOS Platforms

    The SIR for this vulnerability is Medium on Linux and Mac platforms because
    those platforms run the ClamAV scanning process in a separate,
    lower-privileged security context. See the Assessing Security Risk section
    of the Cisco Security Vulnerability Policy for information about
    vulnerability scoring and SIRs.

    A vulnerability in the HFS+ filesystem image parser of ClamAV could allow
    an attacker to cause Cisco Secure Endpoint Connector for Linux or MacOS to
    become unresponsive and recover on its own, with limited impact to
    application functionality. Cisco Secure Endpoint Connector for Linux and
    Secure Endpoint Connector for MacOS, which are distributed from Cisco
    Secure Endpoint Private Cloud, are affected by this vulnerability.

    Bug ID(s): CSCwf39307 , CSCwf39308
    Security Impact Rating (SIR): Medium
    CVSS Base Score: 5.3
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o For information about fixed software releases , consult the Cisco bugs
    identified in the Vulnerable Products section of this advisory.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories page, to determine exposure and a complete
    upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    Customers are advised to upgrade to an appropriate fixed software release 
    as indicated in the following table(s):

    Affected Cisco Software Platform    First Fixed Release
    Secure Endpoint Connector for Linux 1.22.0 ^1
    Secure Endpoint Connector for MacOS 1.22.0 ^1
    Secure Endpoint Connector for       7.5.13.21586 ^1
    Windows                             8.1.7.21585 ^1
    Secure Endpoint Private Cloud       3.8.0 or later with updated connectors
                                        ^2

    1. Updated releases of Cisco Secure Endpoint Connector are available
    through the Cisco Secure Endpoint portal. Depending on the configured
    policy, Cisco Secure Endpoint Connector will automatically update.
    2. Affected releases of Cisco Secure Endpoint Connector clients for Cisco
    Secure Endpoint Private Cloud have been updated in the connectors
    repository. Customers will get these connector updates through normal
    content update processes.

    The Cisco Product Security Incident Response Team (PSIRT) validates only
    the affected and fixed release information that is documented in this
    advisory.

Exploitation and Public Announcements

  o The Cisco PSIRT is aware that proof-of-concept exploit code is available
    for the vulnerability that is described in this advisory.

    The Cisco PSIRT is not aware of any malicious use of the vulnerability that
    is described in this advisory.

Source

  o Cisco would like to thank Steve Smith for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

Related to This Advisory

  o 

URL

  o https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-rNwNEEee

Revision History

  o +----------+---------------------------+----------+--------+--------------+
    | Version  |        Description        | Section  | Status |     Date     |
    +----------+---------------------------+----------+--------+--------------+
    | 1.0      | Initial public release.   | -        | Final  | 2023-AUG-16  |
    +----------+---------------------------+----------+--------+--------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZN1/OckNZI30y1K9AQjr8w/+IQtk6krJZeiJQs+axVExKPmD65uuBiig
oW2pBxCVCpmQ0EqfoM7nAmzzFm4+F6XissF4b80+h5l0ViUcdV2DxEauJnVaJiYe
M0/VRJAVVS308mzpORF7BbSI1Gm5NcUycoG6T+ftutXyN3faRT00h8w+Ioew6l3+
DkYahD2kdktwQjHdkDDtt7fLk6ifpK6mhNXPfqCgleNMFCtOvANgJNtxeTVG4JeX
X6yhbuwiNYTYJowZCk94vYhbWqRYa57ikw1u53DZQFKUtrZ7QQwTlqk7DTKc56ZI
5a+T4Uk8CKA2tsm1Bii5mczF9we4Sb8EkcFtbXJr1fVM7ukmKXcCgrg0RhErZMpr
7HecxWbYzAETATH3APupfU9OAE7jSdtEedLufOE2EmFO/a0MxqjT3c7MzADtYr4n
dnpS4furrffirJHk0fTaQguKlZkEtrFB8DVc4VJ25+me8mjNVRATI6Bgq6lPDlFQ
iX3XsezIeaRSPHoHU23TfLlqvZKBxlAT8D1K541nFJwaX3SLpciQyCcoWlV8nx3k
3SraMsJGwjx7Yi0xVNfBu4cbFUMD1Cw5d/oqC9shmO/R25+MBopAfeHtOdcMN6eb
rV9YADQ2kMuOenJ+BQdPaz4Cwu+7SIUcWcOdDjmUI4POxioLsi0ukLQ/cmguDsAT
HSMOLjMZxko=
=vkLZ
-----END PGP SIGNATURE-----