<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

ClamAV Zip Bomb Makes CPUs Choke

ClaimAV-bomb

A new vulnerability has been discovered [1] in the popular ClamAV antivirus scanning engine.

ClamAV is one of the antivirus scanning engines used in ImunifyAV and Imunify360.

For this reason, we’ve released an update of the ClamAV package so that ImunifyAV and Imunify360 can be protected from this vulnerability.

How it works

The vulnerability means that certain kinds of highly-compressed zip files can’t be scanned.

David Fifield [2], a security researcher, found that, using overlapping techniques, he could generate files with extraordinary compression ratios.

In one case, he managed to compress a 281 TB file down to 10 Mb. That’s a compression ratio of more than 28,000,000.

Hanno Böck found [3] that when ClamAV tried to scan such huge files, the CPU became severely loaded and the ClamAV process cannot be gracefully killed, making the system sluggish or unresponsive. For this reason, this vulnerability is classified as a Denial of Service by means of a ‘zip bomb’.

Mitigation

If you are running ClamAV in standalone mode, the only mitigation currently available is to disable scanning of compressed archives using the ScanArchive setting in the clamd.conf configuration file.

ImunifyAV or Imunify360 customers should update immediately, it’s already available in the product repos. Alternatively, you should disable ClamAV. (It will be disabled by our forthcoming 4.3 release, due out next week.)

Imunify360 is a comprehensive six-layers web server security with feature management. Antivirus firewall, WAF, PHP, Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try free to make your websites and server secure now.
TRY IMUNIFY360 NOW

References

ClamAV Zip Bomb Makes CPUs Choke

ClaimAV-bomb

A new vulnerability has been discovered [1] in the popular ClamAV antivirus scanning engine.

ClamAV is one of the antivirus scanning engines used in ImunifyAV and Imunify360.

For this reason, we’ve released an update of the ClamAV package so that ImunifyAV and Imunify360 can be protected from this vulnerability.

How it works

The vulnerability means that certain kinds of highly-compressed zip files can’t be scanned.

David Fifield [2], a security researcher, found that, using overlapping techniques, he could generate files with extraordinary compression ratios.

In one case, he managed to compress a 281 TB file down to 10 Mb. That’s a compression ratio of more than 28,000,000.

Hanno Böck found [3] that when ClamAV tried to scan such huge files, the CPU became severely loaded and the ClamAV process cannot be gracefully killed, making the system sluggish or unresponsive. For this reason, this vulnerability is classified as a Denial of Service by means of a ‘zip bomb’.

Mitigation

If you are running ClamAV in standalone mode, the only mitigation currently available is to disable scanning of compressed archives using the ScanArchive setting in the clamd.conf configuration file.

ImunifyAV or Imunify360 customers should update immediately, it’s already available in the product repos. Alternatively, you should disable ClamAV. (It will be disabled by our forthcoming 4.3 release, due out next week.)

Imunify360 is a comprehensive six-layers web server security with feature management. Antivirus firewall, WAF, PHP, Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try free to make your websites and server secure now.
TRY IMUNIFY360 NOW

References

Subscribe to Imunify security Newsletter