FreeBSD : clamav -- ClamAV libclamav PE File Integer Overflow Vulnerability (be4b0529-dbaf-11dc-9791-000ea6702141)

Critical Nessus Plugin ID 31109


The remote FreeBSD host is missing a security-related update.


iDefense Security Advisory 02.12.08 :

Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process.

The vulnerability exists within the code responsible for parsing and scanning PE files. While iterating through all sections contained in the PE file, several attacker controlled values are extracted from the file. On each iteration, arithmetic operations are performed without taking into consideration 32-bit integer wrap.

Since insufficient integer overflow checks are present, an attacker can cause a heap overflow by causing a specially crafted Petite packed PE binary to be scanned. This results in an exploitable memory corruption condition.

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing. Workaround Disabling the scanning of PE files will prevent exploitation.

If using clamscan, this can be done by running clamscan with the '--no-pe' option.

If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.


Update the affected package.

See Also

Plugin Details

Severity: Critical

ID: 31109

File Name: freebsd_pkg_be4b0529dbaf11dc9791000ea6702141.nasl

Version: $Revision: 1.14 $

Type: local

Published: 2008/02/18

Modified: 2013/08/09

Dependencies: 12634

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:clamav, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2008/02/15

Vulnerability Publication Date: 2008/01/07

Reference Information

CVE: CVE-2008-0318

CWE: 189