As of today, 23rd February 2023, we have updated all Mail × Lightspeed (including legacy on-premise picoMail and picoOne servers) to the 1.0.1 critical patch version for ClamAV.
Due to the power of container virtualization, Lightspeed does not depend on the host OS (e.g. RedHat) to update the package and is instead able to update each critical subsystem directly from upstream source (in this case Cisco Systems). This greatly improves the speed at which patches are applied, and improves security substantially.
ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy and cannot be patched. Strangely, 0.103 and 0.105 have patches available. Regardless, we have updated all mail servers on any of the 0.103, 0.104, 0.105 and 1.0 code branches to version 1.0.1 to simplify systems management and enhance security.
Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component.
Technical details for CVE-2023-20032 and a proof-of-concept sample to demonstrate the buffer overflow were unfortunately made publicly available, which made this an especially urgent patch, so we apologize that we were unable to send pre-upgrade announcement emails.
Cisco itself has rolled out security updates to address this CVE across a broad range of security devices including (but not limited to):
- Secure Endpoint, formerly Advanced Malware Protection (AMP) for Endpoints (Windows, macOS, and Linux)
- Secure Endpoint Private Cloud, and
- Secure Web Appliance, formerly Web Security Appliance
The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Google security engineer Simon Scannell has been credited with discovering and reporting the bug.
Public Service Announcement : Any mail servers not managed by Lightspeed should update as soon as possible to patch for the remote code execution vulnerability and remote information leak vulnerability.
ClamAV 1.0.1 is a critical patch release with the following fixes:
- CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
- CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
- Fix an allmatch detection issue with the preclass bytecode hook.
- GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/825
- Update the vendored libmspack library to version 0.11alpha.
- GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/828