Auctioneer hyping sale of 'ravaging' ClamAV vulnerability

Auctioneer hyping sale of 'ravaging' ClamAV vulnerability

Summary: The WabiSabiLabi vulnerability auction house is hyping the sale of a potentially nasty remote code execution flaw in ClamAV, the popular open-source anti-virus toolkit recently acquired by Sourcefire.

SHARE:
TOPICS: Servers, Security
1

Auctioneer hyping sale of 'ravaging' ClamAV vulnerabilityThe WabiSabiLabi vulnerability auction house is hyping the sale of a potentially nasty remote code execution flaw in ClamAV, the popular open-source anti-virus toolkit recently acquired by Sourcefire.

WabiSabiLabi, which positions itself as the eBay of software vulnerabilities, said the flaw can be exploited by simply sending a specially crafted e-mail to the vulnerable mail server.

[SEE: Questions swirl as Sourcefire buys ClamAV ]

In a blog entry dedicated to this ClamAV bug, WabiSabiLabi said the vulnerability (and reliable proof-of-concept exploit code) allows a malicious user to execute arbitrary code on the machine running one of the utilities of the ClamAV suite.

The latest verified vulnerable version is 0.91.1 but other versions could be affected as well. As you can obviously imagine, the impact of this vulnerability is ravaging.

At 10:53 AM today, there were no bids on the flaw, which opens at 500€ (US$732).

When exploited, the vulnerability allows an attacker to execute arbitrary code on the target machine in the context of the user running the affected application and to have a "base" on the local network/DMZ, thus having the possibility to escalate privileges (if needed) and compromise other servers nearby the attacked one.

Of course, as it's an anti-virus engine designed for mail servers, the attacker can locally escalate his privileges and get access to all the mail traffic to and from the company just by sniffing the traffic on the compromised machine.

In a home scenario, even if ClamAV is not widely used in such environment, the impact can also be high. If a home computer is compromised, the attacker can access documents and files stored on that computer and use these informations to gain higher privileges.

[ SEE: Trend Micro, Zone Labs, ClamAV join list of insecure security products ]

WabiSabiLabi is also brokering the sale of vulnerabilities in Apple's QuickTime (client side remote code execution), IBM DB2 (there's a single bid on one of the DB2 holes), RealNetworks's Helix Server, Samba, FreeBSD and Novell eDirectory.

Topics: Servers, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • ClamAV 0.91.2

    Users should update to the most current version of ClamAV: 0.91.2

    BTW, SpamAssassin and ClamAV work well with Kmail (installation wizards found on Tools menu). I fetchmail Gmail imap, postfix (port 25 SMTP) to dovecot imap which Kmail client pipes to SpamAssassin and ClamAV before reading any email header.

    .fetchmailrc is set up cron to poll Gmail every 5 minutes.
    There are how-tos at [url=http://wiki.dovecot.org/]dovecot[/url].

    Be Safe Folks!
    D T Schmitz