CVE-2008-6845 in ClamAV
Summary
by MITRE
The unpack feature in ClamAV 0.93.3 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a corrupted LZH file.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/12/2021
The vulnerability identified as CVE-2008-6845 represents a critical denial of service weakness within ClamAV antivirus software version 0.93.3 and earlier releases. This issue specifically targets the unpack functionality of the antivirus engine, which is responsible for decompressing and analyzing various file formats to detect malicious content. The flaw manifests when ClamAV processes corrupted LZH (Lempel-Ziv-Huffman) compressed files, causing the software to crash with a segmentation fault that results in complete service interruption.
The technical root cause of this vulnerability stems from inadequate input validation within the LZH decompression routine. When ClamAV encounters a malformed LZH file, the unpacking algorithm fails to properly handle the corrupted data structures, leading to memory access violations that trigger segmentation faults. This type of vulnerability falls under CWE-129, which encompasses issues related to insufficient validation of the length of input data, and more specifically aligns with CWE-125, involving out-of-bounds read conditions. The vulnerability demonstrates poor error handling practices in the decompression module where the software does not adequately sanitize or validate the compressed data before processing it.
From an operational perspective, this vulnerability presents significant risks to organizations relying on ClamAV for endpoint protection and email filtering. Remote attackers can exploit this weakness by crafting malicious LZH files that, when processed by the antivirus software, cause the service to crash and restart repeatedly. This creates a persistent denial of service condition that can overwhelm system resources and disrupt legitimate security operations. The attack vector is particularly concerning because it requires no authentication or special privileges, making it accessible to any remote user who can deliver a corrupted LZH file to a system running vulnerable ClamAV versions. The vulnerability impacts both email servers and endpoint protection systems that utilize ClamAV's unpack feature, potentially creating widespread service disruption across networked environments.
Organizations should implement immediate mitigations to address this vulnerability by upgrading to ClamAV version 0.94 or later, where the issue has been resolved through improved input validation and error handling mechanisms. System administrators should also consider implementing network-level filtering to block LZH files from entering the network perimeter, particularly in email gateways and file transfer systems. The mitigation strategy should include monitoring for unusual service restart patterns that may indicate exploitation attempts. Security teams should also review their incident response procedures to ensure proper handling of service disruption events caused by this vulnerability. From an ATT&CK framework perspective, this vulnerability maps to the T1499.004 technique related to network denial of service attacks and demonstrates the importance of maintaining up-to-date security software to prevent exploitation of known vulnerabilities in defensive tools.