PDA

View Full Version : ClamAV libclamav MEW PE File Integer Overflow Vulnerability

till
19th December 2007, 12:22
A integer overflow vulnerability in clamav has been found:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634

We are preparing a new ISPConfig version with the latest ClamAV. As a temporary workaround, you should disable the scanning of PE files:

Edit the file:

/home/admispconfig/ispconfig/tools/clamav/bin/clamassassin

and change the line:

CLAMSCANOPT="--no-summary --stdout"

To:

CLAMSCANOPT="--no-summary --stdout --no-pe"
jbravo
19th December 2007, 12:42
I think most people use clamdscan and should edit clamd config file to get:

ScanPE no

And restart clamd service with log check:

clamd[32316]: Portable Executable support disabled.

EDIT: Bug already fixed - at least in SLES10SP1 with clamav patch (clamav-0.92-0.2).

--
GreetZ .:JbRaVo:.
till
19th December 2007, 12:55
Clamscan and not Clamdscan is the default in all ISPConfig installations if you have not patched ISPConfig manually!
jbravo
19th December 2007, 13:05
Clamscan and not Clamdscan is the default in all ISPConfig installations if you have not patched ISPConfig manually!

Ofcourse, but i'm sure You know that most of us use daemonized version because of performance issues.
Anyway thanks for information - i've changed my ClamAV configuration on other servers too:)

--
GreetZ .:JbRaVo:.
SamTzu
20th December 2007, 17:36
Didn't take them long to start using this bug.
My server had serious performance issues before I found out about this.

How do I disable ClamAV in ISPConfig?


Sam
till
20th December 2007, 17:41
Didn't take them long to start using this bug.
My server had serious performance issues before I found out about this.

How do I disable ClamAV in ISPConfig?

Disabling is not nescessary as you can see in the post above and this bug in clamav has nothing to do with performance.

If you want to disable clamav, go to the email user settings and disable the checkbox for the antivirus scan.
SamTzu
20th December 2007, 17:41
How come I'm still getting a lot of processes from the same users even after the "quick fix"?

top -c
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2199 user-3a 25 0 31180 10m 2024 R 6.9 2.2 2:15.26 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
2207 user-1a 25 0 31180 15m 2024 R 6.6 3.1 2:15.35 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
3227 user-3a 25 0 31048 4596 2024 R 6.6 0.9 2:07.39 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
3132 user-2a 25 0 31048 4616 2024 R 6.3 0.9 2:07.69 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
8449 user-2a 25 0 29728 26m 2024 R 4.0 5.3 1:01.59 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
2195 user-2a 25 0 31180 14m 2024 R 3.6 2.9 2:15.25 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
12505 user-2a 25 0 28540 25m 2024 R 3.6 5.1 0:14.62 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
3150 user-3a 25 0 31048 4620 2024 R 3.3 0.9 2:07.50 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
3161 user-2a 25 0 31048 4612 2024 R 3.3 0.9 2:07.51 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
8397 user-3a 25 0 29728 26m 2024 R 3.3 5.3 1:01.50 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
8418 user-3a 25 0 29728 26m 2024 R 3.3 5.3 1:01.50 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
8513 user-2a 25 0 29728 26m 2024 R 3.3 5.3 1:00.69 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
8635 user-4 25 0 29728 26m 2024 R 3.3 5.3 0:58.76 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
12329 user-3a 25 0 28540 25m 2024 R 3.3 5.1 0:15.20 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
12409 user-3a 25 0 28540 25m 2024 R 3.3 5.1 0:15.01 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
12443 user-2a 25 0 28540 25m 2024 R 3.3 5.1 0:14.82 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
13877 root 25 0 7988 3980 6364 R 3.3 0.8 0:00.12 /usr/sbin/apache2 -k start -DSSL
2187 user-2a 25 0 31180 10m 2024 R 3.0 2.1 2:15.25 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
2191 user-3a 25 0 31180 11m 2024 R 3.0 2.2 2:14.95 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
3177 user-1a 25 0 31048 4616 2024 R 3.0 0.9 2:07.50 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -
13840 munin 33 10 8716 4904 5388 R 2.0 0.9 0:00.26 /usr/bin/perl /usr/share/munin/munin-html


I don't recall there being so many clamscans before.

Sam
till
20th December 2007, 17:46
The above just means that you get many emails, this is not caused by the bug in the pe scanning.

To enhance the scanning performance, you can e.g. switch to clamdscan instead of clamscan:

http://www.howtoforge.com/forums/showthread.php?t=16204
SamTzu
20th December 2007, 17:46
Disabling is not nescessary as you can see in the post above and this bug in clamav has nothing to do with performance.

Are you sure about that, Till?

My Apache service kept crashing after a while.
And this started at the same time the clamscan went mad.


Sam
till
20th December 2007, 17:46
Are you sure about that, Till?

Yes, please see the link in my post above.
SamTzu
20th December 2007, 18:41
Odd.

I'm still getting lines like this...
12443 user-2a 25 0 28540 25m 2024 R 3.3 5.1 0:14.82 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -

Even after removing the Antivirus: tab from this particular user user-2a.

Why is that?
till
20th December 2007, 18:47
It may take some time until the config files get rewritten when your server is under high load.
SamTzu
20th December 2007, 20:07
It's been several hours now. Still those accounts are using clamscan.
Is there a way to stop/disable clamscan on the whole server?
SamTzu
20th December 2007, 20:16
It's odd.
ISPConfig control panel is running at normal speed. Only apache web services get affected by the many clamscan services running mad.
SamTzu
22nd December 2007, 14:10
The only way I could gain control off the situation was to manually remove the offending mail accounts folder. Even though I had removed the mail account from ISPConfig it did not remove the account for several hours and finally I just removed it by hand.

Obviously something was done to the users mail settings on that particular folder. (Probably spam?)

Anyway situation under control for now. :D

In the future if ClamAV goes haywire is there a way to bypass/disable it on the server for all the users?