Friday, June 17, 2016

Regarding the Use of ClamAV Daemon's TCP Socket

Recently, a tweet and subsequent blog post on Errata Security describe some features of the ClamAV daemon (clamd) that may be misused toward information disclosures and denial of service attacks. We wanted to take the opportunity to inform the ClamAV community about the clamd configuration that may lead to these issues along with the steps and options for using clamd securely.

clamd is an optional feature of ClamAV providing local or remote host access to ClamAV's scanning engine through the clamd protocol. Several ClamAV commands communicate with clamd using the clamd protocol: clamdscan for virus scanning, clamdtop for clamd resource monitoring, and freshclam, when used in conjunction with clamd, to notify clamd to reload the virus database. Clamav-milter and some third party programs use the clamd protocol as well. The clamd protocol is fully described in the clamd man-page.

This feature, off by default, requires manual configuration.  In order to use clamd, an installation must select a socket type in clamd configuration file, clamd.conf. The installation has two choices for the type of socket. Their configuration parameter names are LocalSocket and TCPSocket. LocalSocket, available on Unix based systems, is not vulnerable to the information disclosure or the DoS. However, all of the programs communicating with clamd must reside on the same host system with clamd. The TCPSocket option enables communication from remote hosts, but care must be taken to protect the ingress network interfaces. An additional clamd parameter, TCPAddr, may be used to designate which network interfaces will accept clamd TCP connection requests. Those interfaces need to be protected, such as though the use of firewall or other network security mechanisms. This will ensure that unwanted clamd requests will be blocked. Additional information on the clamd configuration parameters may be found in the clamd.conf man-page and in the sample clamd configuration file distributed with ClamAV.

Finally, note that the clamscan command, and other software using the libclamav API directly, do not use clamd and therefore are not affected by this configuration.