CVE-2004-1909

Vulnerability

ClamAV versions 0.68 and earlier are vulnerable to a denial of service crash when processing specially crafted RAR archives, such as those generated by variants of the W32.Beagle.A@mm worm. The crash occurs in the RAR parsing routine within the clamav process, triggered by malformed archive data. This issue affects all installations using versions prior to 0.68.1 [1].

Exploitation

An attacker can remotely exploit this vulnerability by sending a crafted RAR archive to a system running ClamAV. No authentication or user interaction is required; the crash occurs during automatic scanning, such as when the archive is received as an email attachment or accessed via a mail server integration. The specific archive structure that triggers the crash is characteristic of Beagle/Bagle worm variants, but any similar malformed RAR may cause the same effect [1].

Impact

Successful exploitation results in a denial of service (DoS) as the clamav process crashes. Depending on the system configuration, this can also cause dependent services, such as mail delivery or virus scanning daemons, to fail, disrupting normal operations. The crash does not lead to arbitrary code execution or data corruption, but the interruption of anti-virus services leaves systems temporarily unprotected [1].

Mitigation

The fixed version is ClamAV 0.68.1, released shortly after the vulnerability was disclosed. Users should upgrade to version >=0.68.1 immediately. No workaround exists for earlier versions, as the vulnerability is triggered by normal scanning activity. The Gentoo Linux GLSA 200404-07 provides upgrade instructions via emerge for Gentoo users [1]. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.