Hello folks,
this Wednesday, the ClamAV development team published updates to all supported version branches, fixing two potential remote code execution vulnerabilities [1]. Both can be triggered by an unauthenticated attacker, such as by sending a malicious file to an infrastructure which will scan it by ClamAV.
This affects IPFire's primary mail server (mail01) as well. At the time of writing, Debain has yet to publish security updates for their ClamAV packages.
Therefore, I just disabled ClamAV in our infrastructure to thwart potential exploitation attempts. Given that our spam filter configuration contains various other countermeasures against malspam, this step should be okay as a temporary measure, until we can safely run ClamAV again.
I will take this as an opportunity to finally switch to an allowlist for e-mail attachments, which is a more robust to assorted malspam techniques I had in the back of my head for quite some time.
Please get in touch with me if there are any concerns, comments or questions.
Thanks, and best regards, Peter Müller
[1] https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html