ClamAV CVE-2023-20032 and CVE-2023-20052

Howdy all,

Heads up, if you use ClamAV for virus scanning, you need to be aware of (and do something about) this pretty serious vulnerability. I assume distros will release patched packages soon, if not already available, but in the meantime, you should disable antivirus scanning for all domains. If I understand it, this is a remotely exploitable bug allowing arbitrary code execution as the ClamAV user, but it is easily mitigable by simply not sending mail through ClamAV.

We do not provide ClamAV packages in any of our supported repositories, so we won’t be releasing any updates related to this. ClamAV in a Virtualmin installation comes from either your OS repositories (Debian/Ubuntu) or EPEL (CentOS/RHEL/Alma/Rocky). But, if you have a very old installation on CentOS or RHEL that was installed using the old Virtualmin repos and if you somehow still have our old ClamAV packages (they will have vm in the package version), you will need to plan to switch to our new repos, but you’ll also need to enable EPEL repos to install ClamAV from a maintained source. You similarly need to disable AV scanning for all domains until a patched package has been installed.

In summary: Don’t use ClamAV until you’ve been able to update to a new version that includes fixes for these security issues.

Debian 11 pushed out an update in the past day or so. But, looks like I might not be safe.
Open issues Bug buster bullseye bookworm sid Description CVE-2023-20052 fixed vulnerable (no DSA) fixed fixed CVE-2023-20032 fixed vulnerable (no DSA) fixed fixed

Formatting won’t hold but it says everything but bullseye. I thought I was safe at first because the pushed out an update, I think last night. Maybe this info is stale.

Thanks for the heads up.

So to quickly disable virus scanning for all domains on a server:

virtualmin disable-feature --all-domains --virus
1 Like

The GUI gives the warning that it is configured to run in Vmin so I ran a few test emails to make sure.

update went through today on my system

thanks for the info !! Had not seen this patch/release — just updated my RedHat 8 systems via EPEL :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.