ClamAV crashed by one HTML file? Check, fix, & automate across Ubuntu, Rocky, SUSE. Docker lab + iptables.
The real problem: Improper error handling in ClamAV’s HTML CSS module while splitting UTF-8 strings. A single malicious HTML file can crash the scanner (Denial of Service).
This guide gives you commands and scripts you will use for years every time a similar parser bug appears.
1. How to check if you are vulnerable (not just for this CVE)
Run these commands to check your ClamAV version and test if your parser crashes on malformed UTF-8 splitting.
clamscan --version # If version is below 1.5.2 -> you are vulnerable to this family of bugs # Test with a crafted pattern: echo '<?xml version="1.0" encoding="UTF-8"?><html><style>a::before{content:"\1F600\1F600\1F600\1F600"}</style></html>' > test.html clamscan test.html # If clamscan hangs or crashes -> vulnerable
Rocky Linux / AlmaLinux (RHEL family)
rpm -q clamav clamscan --version # Same test as above
zypper info clamav | grep Version # Version should show 1.5.2 or higher
2. Automation script to apply the fix (bash, works on all major distros)
Save this as fix-clamav-dos.sh and run with sudo bash fix-clamav-dos.sh.
#!/bin/bash # Evergreen ClamAV HTML parser fix - works for CVE-2026-20031 and similar future bugs set -e detect_os() { if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID VER=$VERSION_ID else echo "Cannot detect OS. Exiting." exit 1 fi } apply_fix() { case $OS in ubuntu|debian) sudo apt update sudo apt install clamav -y sudo systemctl restart clamav-daemon ;; rocky|almalinux|rhel|centos) sudo dnf update clamav -y sudo systemctl restart clamav-daemon ;; suse|opensuse-leap) sudo zypper update clamav -y # For SLES 12 SP5 specific (like the original advisory): sudo zypper patch -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2026-1324=1 2>/dev/null || true sudo systemctl restart clamav-daemon ;; *) echo "Unsupported OS. Manual update required." exit 1 ;; esac } detect_os echo "Updating ClamAV on $OS $VER" apply_fix echo "Fix applied. Verify with: clamscan --version"
3. Alternative mitigation if you can’t update now
Option A: iptables rate-limit (stop the flood of malicious HTML files)
# Limit connections to port 3310 (ClamAV default) to 5 per minute per IP sudo iptables -A INPUT -p tcp --dport 3310 -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 3310 -j DROP
Option B: AppArmor profile to restrict clamd (Ubuntu/Debian)
# Create /etc/apparmor.d/local/usr.bin.clamd echo "/usr/bin/clamd { deny /tmp/*.html rw, deny /var/spool/** rw, }" | sudo tee -a /etc/apparmor.d/local/usr.bin.clamd sudo apparmor_parser -r /etc/apparmor.d/usr.bin.clamd
Option C: Proxy filtering (for mail gateways)
In your postfix or sendmail milter config, add:
# Reject HTML with extremely long CSS strings before they hit ClamAV header CHECK_CSS_LENGTH Content-Type =~ /text\/html/ AND header CONTENT_LENGTH > 500000 REJECT Suspicious large HTML
4. Hands-on Lab: Reproduce this in a VM (Docker)
Goal: Learn how UTF-8 string splitting crashes a parser. You’ll use this setup to test any future ClamAV or antivirus bug.
Requirements: Docker installed on your laptop/server.
# Step 1: Create vulnerable environment (using old ClamAV version 1.4.0) docker run -it --name clamav-lab ubuntu:22.04 bash # Inside container: apt update && apt install -y clamav clamav-daemon wget clamscan --version # Shows 0.103 or similar – deliberately old # Step 2: Create malicious HTML that triggers the bug cat > exploit.html <<EOF <html> <style> .spl1t { content: "\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600\1F600"; } </style> <body>Test</body> </html> EOF # Step 3: Observe the crash clamscan exploit.html # Expected: clamscan hangs or segfaults # Step 4: Now update to fixed version (1.5.2 or later) add-apt-repository ppa:clamav/stable -y apt update && apt install clamav=1.5.2* -y clamscan exploit.html # Expected: "exploit.html: OK"
Why this lab is evergreen: You can replace exploit.html with any future proof-of-concept for parser bugs. The Docker pattern stays the same.
Suggeted reading (solves the monitoring problem)
Book: The Practice of Network Security Monitoring by Richard Bejtlich
- Amazon
Why buy this?
The vulnerability above shows that crashes = silent failures. Most people don’t notice ClamAV died until hours later. Bejtlich’s book teaches you how to set up alerting on service failures (using Zeek, Snort, or simple cron checks). Without monitoring, a DoS is just a “weird slowness” for days.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.)
6. Conclusion
You now have:
- A test to find this bug on any distro
- A script that will patch ClamAV for any future update
- A Docker lab to practice parser crash debugging
- A fallback mitigation using iptables or AppArmor
Nenhum comentário:
Postar um comentário