Re: [clamav-users] Injection Vulnerability in 0.99.2

2017-11-02 Thread Nathan Gibbs 
Interesting,

Some favorite ClamAV bugs from 2011 have been "rediscovered".
:-)

Also, from a pen tester's view, the important point is that, this attack
surface does exist.

User-side network hardening issues & misunderstanding of clamd
configuration options may be irrelevant.

Specifically, "misunderstanding" configuration options have led to
interesting & publicly undisclosed discoveries useful to pen testers.
:-)

-- 
Sincerely,
Nathan Gibbs

On 9/28/2017 17:45, Mickey Sola wrote:
> That's because you've gotten to the heart of the matter.
> 
> There's no real bug or code related vulnerability here; it's a user-side
> network hardening issuing combined with a misunderstanding of clamd
> configuration options that allows for this attack surface to exist.
> 
> As Steve has already pointed out, sound network security practices make
> this a non-issue. Among other things, we're looking into improving the
> configuration experience in coming releases of Clam, but for now, there's
> already a solution to this problem.
> 
> - Mickey
> 
> On Thu, Sep 28, 2017 at 5:23 PM, Reindl Harald 
> wrote:
> 
>>
>>
>> Am 28.09.2017 um 23:02 schrieb Steven Morgan:
>>
>>> The fact that using clamd over TCP has insecurities has come up before. If
>>> using clamd, it is recommended to use the local socket option rather than
>>> a
>>> TCP socket.
>>>
>>> # The daemon can work in local mode, network mode or both.
>>> # Due to security reasons we recommend the local mode.
>>>
>>> Until it is fixed, only use TCP sockets on externally secured networks
>>>
>>
>> sorry, but that is hardly related to whatever bug and can be said for any
>> service in general
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> .
> 





signature.asc
Description: OpenPGP digital signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Injection Vulnerability in 0.99.2

2017-09-28 Thread Mickey Sola 
That's because you've gotten to the heart of the matter.

There's no real bug or code related vulnerability here; it's a user-side
network hardening issuing combined with a misunderstanding of clamd
configuration options that allows for this attack surface to exist.

As Steve has already pointed out, sound network security practices make
this a non-issue. Among other things, we're looking into improving the
configuration experience in coming releases of Clam, but for now, there's
already a solution to this problem.

- Mickey

On Thu, Sep 28, 2017 at 5:23 PM, Reindl Harald 
wrote:

>
>
> Am 28.09.2017 um 23:02 schrieb Steven Morgan:
>
>> The fact that using clamd over TCP has insecurities has come up before. If
>> using clamd, it is recommended to use the local socket option rather than
>> a
>> TCP socket.
>>
>> # The daemon can work in local mode, network mode or both.
>> # Due to security reasons we recommend the local mode.
>>
>> Until it is fixed, only use TCP sockets on externally secured networks
>>
>
> sorry, but that is hardly related to whatever bug and can be said for any
> service in general
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Injection Vulnerability in 0.99.2

2017-09-28 Thread Reindl Harald 



Am 28.09.2017 um 23:02 schrieb Steven Morgan:

The fact that using clamd over TCP has insecurities has come up before. If
using clamd, it is recommended to use the local socket option rather than a
TCP socket.

# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.

Until it is fixed, only use TCP sockets on externally secured networks


sorry, but that is hardly related to whatever bug and can be said for 
any service in general

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Injection Vulnerability in 0.99.2

2017-09-28 Thread Steven Morgan 
Hi,

The fact that using clamd over TCP has insecurities has come up before. If
using clamd, it is recommended to use the local socket option rather than a
TCP socket.

# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.

Until it is fixed, only use TCP sockets on externally secured networks.
Also check the TCPAddr clamd configuration statement:

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr 127.0.0.1

Steve

On Thu, Sep 28, 2017 at 4:47 PM, Al Varnell  wrote:

> The URL was corrupted in the e-mail I received. See if this works:
>  1.4.1.25623.1.0.105762>
>
> And quoting the info found there:
> > Test ID:  1.3.6.1.4.1.25623.1.0.105762
> > Category: General
> > Title:ClamAV `Service Commands` Injection Vulnerability
> > Summary:  ClamAV 0.99.2, and possibly other previous versions, allow
> the execution of clamav commands SCAN and SHUTDOWN without authentication.
> > Description:  Summary:
> > ClamAV 0.99.2, and possibly other previous versions, allow the execution
> of clamav commands SCAN and SHUTDOWN without authentication.
> >
> > CVSS Score:
> > 5.0
> >
> > CVSS Vector:
> > AV:N/AC:L/Au:N/C:P/I:N/A:N
> >
> > Copyright Copyright (C) 2016 Greenbone Networks GmbH
>
> -Al-
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Injection Vulnerability in 0.99.2

2017-09-28 Thread Al Varnell 
The URL was corrupted in the e-mail I received. See if this works:


And quoting the info found there:
> Test ID:  1.3.6.1.4.1.25623.1.0.105762
> Category: General
> Title:ClamAV `Service Commands` Injection Vulnerability
> Summary:  ClamAV 0.99.2, and possibly other previous versions, allow the 
> execution of clamav commands SCAN and SHUTDOWN without authentication.
> Description:  Summary:
> ClamAV 0.99.2, and possibly other previous versions, allow the execution of 
> clamav commands SCAN and SHUTDOWN without authentication.
> 
> CVSS Score:
> 5.0
> 
> CVSS Vector:
> AV:N/AC:L/Au:N/C:P/I:N/A:N
> 
> Copyright Copyright (C) 2016 Greenbone Networks GmbH

-Al-

On Thu, Sep 28, 2017 at 01:42 PM, Jonathan Stockley wrote:
> 
> Hi,
> We¹ve been using ClamAV 0.99.2 for some time. Our security team has
> recently done a scan and reported that this version of ClamAV has the
> injection vulnerability cited here:
> http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.
> 105762
> 
> 
> I checked and 0.99.2 is the latest stable release with 0.99.3 in beta.
> Is the cited vulnerability fixed in the 0.99.3-beta1 release?
> If not, is there an approximate time for when this will be fixed?
> 
> Thanks,
> Jo






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Injection Vulnerability in 0.99.2

2017-09-28 Thread Jonathan Stockley 
Hi,
We¹ve been using ClamAV 0.99.2 for some time. Our security team has
recently done a scan and reported that this version of ClamAV has the
injection vulnerability cited here:
http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.
105762


I checked and 0.99.2 is the latest stable release with 0.99.3 in beta.
Is the cited vulnerability fixed in the 0.99.3-beta1 release?
If not, is there an approximate time for when this will be fixed?

Thanks,
Jo

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml