Package: clamav-daemon Version: 0.103.2+dfsg-2 Severity: important Hello,
this is spawned off https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1930393 where I reported the same bug for Ubuntu. Also affects Debian. It's a (non-critical) security vulnerability but the issue has already made public above. After the default installation of clamav-daemon, as clamd's service access socket (which also double as a control socket) is world read+writeable: $ namei -l /run/clamav/clamd.ctl f: /run/clamav/clamd.ctl drwxr-xr-x root root / drwxr-xr-x root root run drwxr-xr-x clamav root clamav srw-rw-rw- clamav clamav clamd.ctl (and needs to be for users to be able to pass files to scan, to use the service) and clamd doesn't seem to be doing any access control itself either, any local user can shutdown clamd by sending the SHUTDOWN (aka QUIT) command there: $ printf 'zSHUTDOWN\0' | socat - unix-connect:/run/clamav/clamd.ctl or just $ echo QUIT | socat - unix:/run/clamav/clamd.ctl For instance. Which makes it a denial of service vulnerability. Other commands such as RELOAD (clamdscan --reload) or STATS may also need to be restricted. That's with the current Debian testing version, but I'd expect it applies to all versions of Debian and derivative. It should probably be addressed upstreams by clamd checking the credentials of the incoming connection, or as Seth suggested by separating out the admin commands to a different (restricted) socket. -- Package-specific info: --- configuration --- Checking configuration files in /etc/clamav Config file: clamd.conf ----------------------- AlertExceedsMax disabled PreludeEnable disabled PreludeAnalyzerName = "ClamAV" LogFile = "/var/log/clamav/clamav.log" LogFileUnlock disabled LogFileMaxSize = "4294967295" LogTime = "yes" LogClean disabled LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate = "yes" ExtendedDetectionInfo = "yes" PidFile disabled TemporaryDirectory disabled DatabaseDirectory = "/var/lib/clamav" OfficialDatabaseOnly disabled LocalSocket = "/var/run/clamav/clamd.ctl" LocalSocketGroup = "clamav" LocalSocketMode = "666" FixStaleSocket = "yes" TCPSocket disabled TCPAddr disabled MaxConnectionQueueLength = "15" StreamMaxLength = "26214400" StreamMinPort = "1024" StreamMaxPort = "2048" MaxThreads = "12" ReadTimeout = "180" CommandReadTimeout = "30" SendBufTimeout = "200" MaxQueue = "100" IdleTimeout = "30" ExcludePath disabled MaxDirectoryRecursion = "15" FollowDirectorySymlinks disabled FollowFileSymlinks disabled CrossFilesystems = "yes" SelfCheck = "3600" ConcurrentDatabaseReload = "yes" DisableCache disabled VirusEvent disabled ExitOnOOM disabled AllowAllMatchScan = "yes" Foreground disabled Debug disabled LeaveTemporaryFiles disabled User = "clamav" Bytecode = "yes" BytecodeSecurity = "Paranoid" BytecodeTimeout = "60000" BytecodeUnsigned disabled BytecodeMode = "Auto" DetectPUA disabled ExcludePUA disabled IncludePUA disabled ScanPE = "yes" ScanELF = "yes" ScanMail = "yes" ScanPartialMessages disabled PhishingSignatures = "yes" PhishingScanURLs = "yes" HeuristicAlerts = "yes" HeuristicScanPrecedence disabled StructuredDataDetection disabled StructuredMinCreditCardCount = "3" StructuredMinSSNCount = "3" StructuredSSNFormatNormal = "yes" StructuredSSNFormatStripped disabled ScanHTML = "yes" ScanOLE2 = "yes" AlertBrokenExecutables disabled AlertBrokenMedia disabled AlertEncrypted disabled StructuredCCOnly disabled AlertEncryptedArchive disabled AlertEncryptedDoc disabled AlertOLE2Macros disabled AlertPhishingSSLMismatch disabled AlertPhishingCloak disabled AlertPartitionIntersection disabled ScanPDF = "yes" ScanSWF = "yes" ScanXMLDOCS = "yes" ScanHWP3 = "yes" ScanArchive = "yes" ForceToDisk disabled MaxScanTime = "120000" MaxScanSize = "104857600" MaxFileSize = "262144000" MaxRecursion = "16" MaxFiles = "10000" MaxEmbeddedPE = "10485760" MaxHTMLNormalize = "10485760" MaxHTMLNoTags = "2097152" MaxScriptNormalize = "5242880" MaxZipTypeRcg = "1048576" MaxPartitions = "50" MaxIconsPE = "100" MaxRecHWP3 = "16" PCREMatchLimit = "10000" PCRERecMatchLimit = "5000" PCREMaxFileSize = "26214400" OnAccessMountPath disabled OnAccessIncludePath disabled OnAccessExcludePath disabled OnAccessExcludeRootUID disabled OnAccessExcludeUID disabled OnAccessExcludeUname disabled OnAccessMaxFileSize = "5242880" OnAccessDisableDDD disabled OnAccessPrevention disabled OnAccessExtraScanning disabled OnAccessCurlTimeout = "5000" OnAccessMaxThreads = "5" OnAccessRetryAttempts disabled OnAccessDenyOnError disabled DevACOnly disabled DevACDepth disabled DevPerformance disabled DevLiblog disabled DisableCertCheck disabled AlgorithmicDetection = "yes" BlockMax disabled PhishingAlwaysBlockSSLMismatch disabled PhishingAlwaysBlockCloak disabled PartitionIntersection disabled OLE2BlockMacros disabled ArchiveBlockEncrypted disabled Config file: freshclam.conf --------------------------- LogFileMaxSize = "4294967295" LogTime = "yes" LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate = "yes" PidFile disabled DatabaseDirectory = "/var/lib/clamav" Foreground disabled Debug disabled UpdateLogFile = "/var/log/clamav/freshclam.log" DatabaseOwner = "clamav" Checks = "24" DNSDatabaseInfo = "current.cvd.clamav.net" DatabaseMirror = "db.local.clamav.net", "database.clamav.net" PrivateMirror disabled MaxAttempts = "5" ScriptedUpdates = "yes" TestDatabases = "yes" CompressLocalDatabase disabled ExtraDatabase disabled ExcludeDatabase disabled DatabaseCustomURL disabled HTTPProxyServer disabled HTTPProxyPort disabled HTTPProxyUsername disabled HTTPProxyPassword disabled HTTPUserAgent disabled NotifyClamd = "/etc/clamav/clamd.conf" OnUpdateExecute disabled OnErrorExecute disabled OnOutdatedExecute disabled LocalIPAddress disabled ConnectTimeout = "30" ReceiveTimeout disabled Bytecode = "yes" clamav-milter.conf not found Software settings ----------------- Version: 0.103.2 Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON Database information -------------------- Database directory: /var/lib/clamav bytecode.cld: version 333, sigs: 92, built on Mon Mar 8 15:21:51 2021 main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 13:56:15 2019 daily.cld: version 26193, sigs: 3987200, built on Sun Jun 6 12:10:20 2021 Total number of signatures: 8552194 Platform information -------------------- uname: Linux 5.10.0-6-amd64 #1 SMP Debian 5.10.28-1 (2021-04-09) x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 Full OS version: Debian GNU/Linux 11 (bullseye) zlib version: 1.2.11 (1.2.11), compile flags: a9 platform id: 0x0a217b7b08000000000a0201 Build information ----------------- GNU C: 10.2.1 20210110 (10.2.1) CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2 CFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 LDFLAGS: -Wl,-z,relro -Wl,-z,now -Wl,--as-needed Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security' sizeof(void*) = 8 Engine flevel: 123, dconf: 123 --- data dir --- total 434404 -rw-r--r-- 1 clamav clamav 1438720 Mar 8 16:18 bytecode.cld -rw-r--r-- 1 clamav clamav 325508096 Jun 7 08:07 daily.cld -rw-r--r-- 1 clamav clamav 117859675 Jun 9 2020 main.cvd -rw-r--r-- 1 root root 69 Apr 22 08:27 mirrors.dat drwxr-xr-x 2 clamav clamav 4096 Dec 18 08:31 tmp.8043069817 -- System Information: Debian Release: 11.0 APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (50, 'unstable-debug'), (50, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages clamav-daemon depends on: ii adduser 3.118 ii clamav-base 0.103.2+dfsg-2 ii clamav-freshclam [clamav-data] 0.103.2+dfsg-2 ii debconf [debconf-2.0] 1.5.75 ii dpkg 1.20.9 ii libc6 2.31-12 ii libclamav9 0.103.2+dfsg-2 ii libcurl4 7.74.0-1.2 ii libncurses6 6.2+20201114-2 ii libsystemd0 247.3-5 ii libtinfo6 6.2+20201114-2 ii lsb-base 11.1.0 ii procps 2:3.3.17-5 ii ucf 3.0043 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages clamav-daemon recommends: ii clamdscan 0.103.2+dfsg-2 Versions of packages clamav-daemon suggests: ii apparmor 2.13.6-10 pn clamav-docs <none> pn daemon <none> pn libclamunrar <none> -- debconf-show failed
