Source: cve@mitre.org
ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows remote attackers to bypass the scanner via a Base64-UUEncoded file.
ClamAV 0.92 is vulnerable to a critical bypass that allows attackers to evade malware detection. Attackers can upload malicious files disguised as Base64-UUEncoded archives, bypassing the scanner and potentially leading to system compromise. This vulnerability poses a significant risk to organizations relying on ClamAV for endpoint protection and email security.
Step 1: Payload Preparation: The attacker crafts a malicious file (e.g., a trojan, virus, or other malware).
Step 2: Encoding: The malicious file is encoded using Base64 and then further encoded using UUEncoding (UUEncode). This double-encoding obfuscates the payload.
Step 3: Delivery: The attacker delivers the encoded file to a system protected by ClamAV 0.92, typically via email, web upload, or network share.
Step 4: Bypass: ClamAV 0.92, due to its parsing flaw, fails to recognize the Base64-UUEncoded file as a threat.
Step 5: Execution (if applicable): If the file is subsequently executed (e.g., by a user opening an attachment or a server processing the file), the malicious payload is activated, leading to system compromise.
The vulnerability stems from a parsing flaw within ClamAV 0.92. The scanner fails to correctly identify and process Base64-UUEncoded archives. Specifically, the code responsible for unpacking and analyzing these archive types lacks proper handling, leading to a complete bypass of the malware scanning engine. The root cause is a missing or incomplete implementation of the decoding logic for Base64-UUEncoded data, allowing malicious content to pass through undetected. This is not a buffer overflow or race condition but a logic flaw in the file type identification and processing routines.
While no specific APT groups are definitively linked to the exploitation of this specific CVE, the nature of the vulnerability makes it attractive to a wide range of threat actors. The ability to bypass a common antivirus solution is a valuable tactic. This CVE is not currently listed on the CISA KEV catalog, but its potential for impact warrants monitoring.
Network traffic analysis: Look for unusual Base64-UUEncoded data transfers, especially in email or HTTP traffic.
File system monitoring: Monitor for the presence of files with unusual extensions or characteristics that could indicate a malicious payload.
Log analysis: Review ClamAV logs for any errors or warnings related to file processing, or lack of detection on files that should have been scanned.
Endpoint detection and response (EDR) solutions: Utilize EDR tools to identify suspicious file execution or process behavior after a potential bypass.
Upgrade to a patched version of ClamAV (0.92.1 or later) that addresses the vulnerability.
Implement a defense-in-depth strategy, including multiple layers of security, such as a web application firewall (WAF) to filter malicious uploads.
Use a more robust anti-malware solution that includes more comprehensive file type detection and decoding capabilities.
Educate users about the risks of opening attachments from untrusted sources.
Regularly update all security software and systems.