{"id":1621,"date":"2025-01-23T11:39:13","date_gmt":"2025-01-23T11:39:13","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1621"},"modified":"2025-01-23T11:39:13","modified_gmt":"2025-01-23T11:39:13","slug":"cisco-patches-antivirus-decommissioning-bug-as-exploit-code-surfaces","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1621","title":{"rendered":"Cisco patches antivirus decommissioning bug as exploit code surfaces"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cisco has patched a denial-of-service (DoS) vulnerability affecting its open-source antivirus software toolkit, ClamAV, which already has a proof-of-concept (PoC) exploit code available to the public.<\/p>\n

Identified as CVE-2025-20128, the vulnerability stems from a heap-based buffer overflow<\/a> in the Object Linking and Embedding 2 (OLE2) decryption routine, enabling unauthenticated remote attackers to cause a DoS condition on affected devices.<\/p>\n

\u201cThis vulnerability is due to an integer underflow in a bounds check that allows for a heap buffer overflow read,\u201d Cisco said in an advisory<\/a>. \u201cA successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software.\u201d<\/p>\n

However, the company noted that the overall system stability remains intact despite the successful exploitation of the flaw.<\/p>\n

The flaw could shut down AV scanning<\/strong><\/h2>\n

The flaw, despite being a medium severity issue, could compromise critical scanning processes for ClamAV users who use it for a range of protection including email scanning, web filtering, and endpoint security.<\/p>\n

\u201cAn attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device,\u201d the advisory added. \u201cThe Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability.\u201d<\/p>\n

Affected Cisco software platforms include Secure Endpoint Connector for Linux, Secure Endpoint Connector for Mac, Secure Endpoint Connector for Windows, and Secure Endpoint Private Cloud.<\/p>\n

Cisco confirmed the vulnerability does not affect its \u201cSecure Email Gateway\u201d and \u201cSecure Web Appliances\u201d products, two Cisco solutions for email and web-based threats that ClamAV integrates with for comprehensive support.<\/p>\n

Patching is the only workaround<\/strong><\/h2>\n

In a separate ClamAV blog<\/a>, the Cisco team provided details of the security patches released to address this flaw. The patch rollout includes ClamAV release 1.4.2 and ClamAV release 1.0.8, both available for download on the ClamAV downloads page<\/a>, Github release page<\/a>, and through Docker Hub<\/a>.<\/p>\n

Patching their affected software is the only option for users as the company said there are no workarounds that address this vulnerability.<\/p>\n

The company said in the advisory that it is not aware of any active exploitation of the vulnerability, and credited Google\u2019s fuzzing team, OSS-Fuzz, for reporting it. Cisco\u2019s anti-malware toolkit has encountered its second denial-of-service (DoS) vulnerability within a year. The first, identified in February 2024<\/a>, allowed much similar sabotage but was rated more severe<\/a> than the current flaw.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cisco has patched a denial-of-service (DoS) vulnerability affecting its open-source antivirus software toolkit, ClamAV, which already has a proof-of-concept (PoC) exploit code available to the public. Identified as CVE-2025-20128, the vulnerability stems from a heap-based buffer overflow in the Object Linking and Embedding 2 (OLE2) decryption routine, enabling unauthenticated remote attackers to cause a DoS […]<\/p>\n","protected":false},"author":0,"featured_media":1622,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1621","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1621"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1621"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1621\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1622"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}