CVE-2024-20506: 
Clam AntiVirus vulnerability analysis and mitigation

CVE-2024-20506 is a vulnerability discovered in the ClamD service module of Clam AntiVirus (ClamAV) affecting versions 1.4.0, 1.3.2 and prior versions, all 1.2.x versions, 1.0.6 and prior versions, all 0.105.x versions, all 0.104.x versions, and 0.103.11 and all prior versions. The vulnerability was disclosed on September 4, 2024, and involves the ClamD process writing to its log file while privileged without checking if the logfile has been replaced with a symbolic link (NVD, ClamAV Blog).

The vulnerability stems from the logging module's behavior on Linux and Unix systems, where the ClamD process writes to its log file while having privileged access without verifying if the logfile has been replaced with a symbolic link. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (NVD).

If exploited, this vulnerability could allow an authenticated, local attacker to corrupt critical system files. The impact is particularly significant because it could lead to system file corruption when an attacker successfully replaces the ClamD log file with a symlink to a critical system file and manages to restart the ClamD process (NVD).

The vulnerability has been fixed in ClamAV versions 1.4.1, 1.3.2, 1.0.7, and 0.103.12. The fix involves changing the logging module to disable following symlinks on Linux and Unix systems, preventing attackers from using symlinks to corrupt system files. Users are advised to upgrade to these patched versions (ClamAV Blog).