[Pkg-clamav-devel] Bug#989549: clamav-daemon: any local user can shut clamd down via control socket
Stephane Chazelas
stephane at chazelas.org
Mon Jun 7 10:24:58 BST 2021
Package: clamav-daemon
Version: 0.103.2+dfsg-2
Severity: important
Hello,
this is spawned off
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1930393
where I reported the same bug for Ubuntu. Also affects Debian.
It's a (non-critical) security vulnerability but the issue has
already made public above.
After the default installation of clamav-daemon, as clamd's
service access socket (which also double as a control socket) is
world read+writeable:
$ namei -l /run/clamav/clamd.ctl
f: /run/clamav/clamd.ctl
drwxr-xr-x root root /
drwxr-xr-x root root run
drwxr-xr-x clamav root clamav
srw-rw-rw- clamav clamav clamd.ctl
(and needs to be for users to be able to pass files to scan, to
use the service)
and clamd doesn't seem to be doing any access control itself
either, any local user can shutdown clamd by sending the
SHUTDOWN (aka QUIT) command there:
$ printf 'zSHUTDOWN\0' | socat - unix-connect:/run/clamav/clamd.ctl
or just
$ echo QUIT | socat - unix:/run/clamav/clamd.ctl
For instance. Which makes it a denial of service vulnerability.
Other commands such as RELOAD (clamdscan --reload) or STATS may also need to be restricted.
That's with the current Debian testing version, but I'd expect it
applies to all versions of Debian and derivative.
It should probably be addressed upstreams by clamd checking the
credentials of the incoming connection, or as Seth suggested by
separating out the admin commands to a different (restricted)
socket.
-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav
Config file: clamd.conf
-----------------------
AlertExceedsMax disabled
PreludeEnable disabled
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileUnlock disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile disabled
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "30"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "3600"
ConcurrentDatabaseReload = "yes"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
Bytecode = "yes"
BytecodeSecurity = "Paranoid"
BytecodeTimeout = "60000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
ScanPE = "yes"
ScanELF = "yes"
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
HeuristicAlerts = "yes"
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
AlertBrokenExecutables disabled
AlertBrokenMedia disabled
AlertEncrypted disabled
StructuredCCOnly disabled
AlertEncryptedArchive disabled
AlertEncryptedDoc disabled
AlertOLE2Macros disabled
AlertPhishingSSLMismatch disabled
AlertPhishingCloak disabled
AlertPartitionIntersection disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ForceToDisk disabled
MaxScanTime = "120000"
MaxScanSize = "104857600"
MaxFileSize = "262144000"
MaxRecursion = "16"
MaxFiles = "10000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeRootUID disabled
OnAccessExcludeUID disabled
OnAccessExcludeUname disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
OnAccessCurlTimeout = "5000"
OnAccessMaxThreads = "5"
OnAccessRetryAttempts disabled
OnAccessDenyOnError disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled
AlgorithmicDetection = "yes"
BlockMax disabled
PhishingAlwaysBlockSSLMismatch disabled
PhishingAlwaysBlockCloak disabled
PartitionIntersection disabled
OLE2BlockMacros disabled
ArchiveBlockEncrypted disabled
Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
ExcludeDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout disabled
Bytecode = "yes"
clamav-milter.conf not found
Software settings
-----------------
Version: 0.103.2
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON
Database information
--------------------
Database directory: /var/lib/clamav
bytecode.cld: version 333, sigs: 92, built on Mon Mar 8 15:21:51 2021
main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 13:56:15 2019
daily.cld: version 26193, sigs: 3987200, built on Sun Jun 6 12:10:20 2021
Total number of signatures: 8552194
Platform information
--------------------
uname: Linux 5.10.0-6-amd64 #1 SMP Debian 5.10.28-1 (2021-04-09) x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
Full OS version: Debian GNU/Linux 11 (bullseye)
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217b7b08000000000a0201
Build information
-----------------
GNU C: 10.2.1 20210110 (10.2.1)
CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64
LDFLAGS: -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -ffile-prefix-map=/build/clamav-OKYrWI/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security'
sizeof(void*) = 8
Engine flevel: 123, dconf: 123
--- data dir ---
total 434404
-rw-r--r-- 1 clamav clamav 1438720 Mar 8 16:18 bytecode.cld
-rw-r--r-- 1 clamav clamav 325508096 Jun 7 08:07 daily.cld
-rw-r--r-- 1 clamav clamav 117859675 Jun 9 2020 main.cvd
-rw-r--r-- 1 root root 69 Apr 22 08:27 mirrors.dat
drwxr-xr-x 2 clamav clamav 4096 Dec 18 08:31 tmp.8043069817
-- System Information:
Debian Release: 11.0
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (50, 'unstable-debug'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages clamav-daemon depends on:
ii adduser 3.118
ii clamav-base 0.103.2+dfsg-2
ii clamav-freshclam [clamav-data] 0.103.2+dfsg-2
ii debconf [debconf-2.0] 1.5.75
ii dpkg 1.20.9
ii libc6 2.31-12
ii libclamav9 0.103.2+dfsg-2
ii libcurl4 7.74.0-1.2
ii libncurses6 6.2+20201114-2
ii libsystemd0 247.3-5
ii libtinfo6 6.2+20201114-2
ii lsb-base 11.1.0
ii procps 2:3.3.17-5
ii ucf 3.0043
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages clamav-daemon recommends:
ii clamdscan 0.103.2+dfsg-2
Versions of packages clamav-daemon suggests:
ii apparmor 2.13.6-10
pn clamav-docs <none>
pn daemon <none>
pn libclamunrar <none>
-- debconf-show failed
More information about the Pkg-clamav-devel
mailing list