Important security fixes in Clamav 0.99.3

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
syntaxys
Posts: 26
Joined: Sat Sep 13, 2014 12:06 am

Important security fixes in Clamav 0.99.3

Post by syntaxys »

Clamav released 0.99.3 with several security fixes at January 25th, 2018 – it is highly recommended to upgrade to this version soon as possible.
If you don't like to wait for the Zimbra patches, the following example will upgrade Clamav in ZCS 8.8.6 (on Ubuntu 16.04 LTS).

To enable PCRE support in Clamav, install the needed libraries:

Code: Select all

apt-get install libpcre2-dev libpcre3 libpcre3-dev
Also gcc should be installed for the next steps:

Code: Select all

cd /opt/zimbra
wget https://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz
tar -xvf ./clamav-0.99.3.tar.gz
ln -s ./clamav-0.99.3 ./clamav
cd clamav
./configure --prefix=/opt/zimbra/clamav --with-user=zimbra --with-group=zimbra --with-pcre=/usr
make check
make install
Backup the actual files:

Code: Select all

mkdir -p /opt/zimbra/backup/common/bin /opt/zimbra/backup/common/lib /opt/zimbra/backup/common/sbin
cp /opt/zimbra/common/bin/*clam* /opt/zimbra/backup/common/bin
cp /opt/zimbra/common/lib/*clam* /opt/zimbra/backup/common/lib
cp /opt/zimbra/common/sbin/*clam* /opt/zimbra/backup/common/sbin
Stop Zimbra and replace the files and links:

Code: Select all

su - zimbra
zmcontrol stop
exit
rm /opt/zimbra/common/bin/clambc /opt/zimbra/common/bin/clamconf /opt/zimbra/common/bin/clamdscan /opt/zimbra/common/bin/clamscan /opt/zimbra/common/bin/freshclam
rm /opt/zimbra/common/lib/libclamav.so.7 /opt/zimbra/common/lib/libclamunrar.so.7 /opt/zimbra/common/lib/libclamunrar_iface.so.7
rm /opt/zimbra/common/bin/clamd
ln -s /opt/zimbra/clamav/clambc/clambc /opt/zimbra/common/bin/clambc
ln -s /opt/zimbra/clamav/clamconf/clamconf /opt/zimbra/common/bin/clamconf
ln -s /opt/zimbra/clamav/clamdscan/clamdscan /opt/zimbra/common/bin/clamdscan
ln -s /opt/zimbra/clamav/clamscan/clamscan /opt/zimbra/common/bin/clamscan
ln -s /opt/zimbra/clamav/freshclam/freshclam /opt/zimbra/common/bin/freshclam
ln -s /opt/zimbra/clamav/lib/libclamav.so.7.1.1 /opt/zimbra/common/lib/libclamav.so.7
ln -s /opt/zimbra/clamav/lib/libclamunrar.so.7.1.1 /opt/zimbra/common/lib/libclamunrar.so.7
ln -s /opt/zimbra/clamav/lib/libclamunrar_iface.so.7.1.1 /opt/zimbra/common/lib/libclamunrar_iface.so.7
ln -s /opt/zimbra/clamav/clamd/clamd /opt/zimbra/common/sbin/clamd
ln -s /opt/zimbra/conf/clamd.conf /opt/zimbra/clamav/etc/clamd.conf
ln -s /opt/zimbra/conf/freshclam.conf /opt/zimbra/clamav/etc/freshclam.conf
ln -s /opt/zimbra/data/clamav/db /opt/zimbra/clamav/db
su - zimbra
zmcontrol start
zmcontrol status
exit
Good luck :)
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: Important security fixes in Clamav 0.99.3

Post by msquadrat »

Thanks for the heads up. I quickly filed [bug]108824[/bug] on this issue. If this isn't picked up by the Zimbra devs you might want to drop an info to security@zimbra.com as described here https://wiki.zimbra.com/wiki/Reporting_ ... _to_Zimbra
syntaxys
Posts: 26
Joined: Sat Sep 13, 2014 12:06 am

Re: Important security fixes in Clamav 0.99.3

Post by syntaxys »

Thanks for the information, I will keep the channels in mind for the future. But since the security holes in old Clamav versions are already exploited, a quick response from postmasters is required. If an update of Clamav is actually not possible, this service should be disabled!

Code: Select all

su - zimbra
zmantivirusctl stop
zmprov ms zimbrahostname -zimbraServiceEnabled antivirus
Andy8515
Posts: 8
Joined: Mon Jan 29, 2018 8:24 pm

Re: Important security fixes in Clamav 0.99.3

Post by Andy8515 »

Thanks syntaxys! Done on CentOS 6.9 and Zimbra 8.8.6.

At first - need to install pcre:

Code: Select all

yum install pcre
All rest is almost same as example for Ubuntu, but need to choose another directory for build (for example "/tmp/clamav"), because "make install" may produce errors.
In "./configure" I added --libdir="/opt/zimbra/clamav/lib", so that installation does not differ from default in Zimbra (or it create lib64 dir).

Code: Select all

 ./configure --prefix=/opt/zimbra/clamav --with-user=zimbra --with-group=zimbra --with-pcre=/usr --libdir=/opt/zimbra/clamav/lib
After install - I copy installation directory "/opt/zimbra/clamav" to /opt/zimbra/clamav-0.99.3 and create symlink.

Code: Select all

cd /opt/zimra/
mv clamav clamav-0.99.3
ln -s ./clamav-0.99.3 ./clamav
Differences in paths to remove old files and create symlinks:
In example:

Code: Select all

rm /opt/zimbra/common/bin/clambc
rm /opt/zimbra/common/bin/clamconf
rm /opt/zimbra/common/bin/clamdscan
rm /opt/zimbra/common/bin/clamscan
rm /opt/zimbra/common/bin/freshclam
rm /opt/zimbra/common/lib/libclamav.so.7
rm /opt/zimbra/common/lib/libclamunrar.so.7
rm /opt/zimbra/common/lib/libclamunrar_iface.so.7
rm /opt/zimbra/common/bin/clamd
ln -s /opt/zimbra/clamav/clambc/clambc /opt/zimbra/common/bin/clambc
ln -s /opt/zimbra/clamav/clamconf/clamconf /opt/zimbra/common/bin/clamconf
ln -s /opt/zimbra/clamav/clamdscan/clamdscan /opt/zimbra/common/bin/clamdscan
ln -s /opt/zimbra/clamav/clamscan/clamscan /opt/zimbra/common/bin/clamscan
ln -s /opt/zimbra/clamav/freshclam/freshclam /opt/zimbra/common/bin/freshclam
ln -s /opt/zimbra/clamav/lib/libclamav.so.7.1.1 /opt/zimbra/common/lib/libclamav.so.7
ln -s /opt/zimbra/clamav/lib/libclamunrar.so.7.1.1 /opt/zimbra/common/lib/libclamunrar.so.7
ln -s /opt/zimbra/clamav/lib/libclamunrar_iface.so.7.1.1 /opt/zimbra/common/lib/libclamunrar_iface.so.7
ln -s /opt/zimbra/clamav/clamd/clamd /opt/zimbra/common/sbin/clamd
ln -s /opt/zimbra/conf/clamd.conf /opt/zimbra/clamav/etc/clamd.conf
ln -s /opt/zimbra/conf/freshclam.conf /opt/zimbra/clamav/etc/freshclam.conf
ln -s /opt/zimbra/data/clamav/db /opt/zimbra/clamav/db
In CentOS 6.9:

Code: Select all

rm /opt/zimbra/common/bin/clambc
rm /opt/zimbra/common/bin/clamconf
rm /opt/zimbra/common/bin/clamdscan
rm /opt/zimbra/common/bin/clamscan
rm /opt/zimbra/common/bin/freshclam
rm /opt/zimbra/common/lib/libclamav.so.7
rm /opt/zimbra/common/lib/libclamunrar.so.7
rm /opt/zimbra/common/lib/libclamunrar_iface.so.7
rm /opt/zimbra/common/sbin/clamd
ln -s /opt/zimbra/clamav/bin/clambc /opt/zimbra/common/bin/clambc
ln -s /opt/zimbra/clamav/bin/clamconf /opt/zimbra/common/bin/clamconf
ln -s /opt/zimbra/clamav/bin/clamdscan /opt/zimbra/common/bin/clamdscan
ln -s /opt/zimbra/clamav/bin/clamscan /opt/zimbra/common/bin/clamscan
ln -s /opt/zimbra/clamav/bin/freshclam /opt/zimbra/common/bin/freshclam
ln -s /opt/zimbra/clamav/lib/libclamav.so.7.1.1 /opt/zimbra/common/lib/libclamav.so.7
ln -s /opt/zimbra/clamav/lib/libclamunrar.so.7.1.1 /opt/zimbra/common/lib/libclamunrar.so.7
ln -s /opt/zimbra/clamav/lib/libclamunrar_iface.so.7.1.1 /opt/zimbra/common/lib/libclamunrar_iface.so.7
ln -s /opt/zimbra/clamav/sbin/clamd /opt/zimbra/common/sbin/clamd
ln -s /opt/zimbra/conf/clamd.conf /opt/zimbra/clamav/etc/clamd.conf
ln -s /opt/zimbra/conf/freshclam.conf /opt/zimbra/clamav/etc/freshclam.conf
ln -s /opt/zimbra/data/clamav/db /opt/zimbra/clamav/db
At rest - all same as in example, provided by syntaxys.

Thanks alot!
JakeMS
Posts: 16
Joined: Tue Sep 09, 2014 4:16 pm

Re: Important security fixes in Clamav 0.99.3

Post by JakeMS »

Well, compiling is indeed one method to fix this yourself :D.

However, if like me you've already got two installations of ClamAV installed (one for Zimbra, one for scanning server itself) then you can easily just tell Zimbra to use your distributions version:

Code: Select all

mv -v /opt/zimbra/common/sbin/clamd /opt/zimbra/common/sbin/clamd.bak
mv -v /opt/zimbra/common/bin/clambc /opt/zimbra/common/bin/clambc.bak
mv -v /opt/zimbra/common/bin/clamconf /opt/zimbra/common/bin/clamconf.bak
mv -v /opt/zimbra/common/bin/clamdscan /opt/zimbra/common/bin/clamdscan.bak
mv -v /opt/zimbra/common/bin/clamscan /opt/zimbra/common/bin/clamscan.bak
mv -v /opt/zimbra/common/bin/freshclam /opt/zimbra/common/bin/freshclam.bak
mv -v /opt/zimbra/common/lib/libclamav.so.7 /opt/zimbra/common/lib/libclamav.so.7.bak
mv -v /opt/zimbra/common/lib/libclamunrar.so.7 /opt/zimbra/common/lib/libclamunrar.so.7.bak
mv -v /opt/zimbra/common/lib/libclamunrar_iface.so.7 /opt/zimbra/common/lib/libclamunrar_iface.so.7.bak

ln -s /usr/sbin/clamd /opt/zimbra/common/sbin/clamd
ln -s /usr/bin/clambc /opt/zimbra/common/bin/clambc
ln -s /usr/bin/clamconf /opt/zimbra/common/bin/clamconf
ln -s /usr/bin/clamdscan /opt/zimbra/common/bin/clamdscan
ln -s /usr/bin/clamscan /opt/zimbra/common/bin/clamscan
ln -s /usr/bin/freshclam /opt/zimbra/common/bin/freshclam
ln -s /usr/lib64/libclamav.so.7 /opt/zimbra/common/lib/libclamav.so.7

# Some versions of ClamAV do not have these files, such as the one from EPEL for licensing reasons, so skip these if they do not exist
ln -s /usr/lib64/libclamunrar.so.7 /opt/zimbra/common/lib/libclamunrar.so.7
ln -s /usr/lib64/libclamunrar_iface.so.7 /opt/zimbra/common/lib/libclamunrar_iface.so.7
Depending on your distro you may have to adjust lib and bin paths :-).

I've done mine using the ClamAV version from EPEL on CentOS 7 x86_64, and everything seems to be running smooth.

You may want to check your logs:

Code: Select all

cat /opt/zimbra/log/clamd.log
Before changes you'll get something like this:

Code: Select all

Fri Feb  2 07:31:01 2018 -> +++ Started at Fri Feb  2 07:31:01 2018
Fri Feb  2 07:31:01 2018 -> Received 0 file descriptor(s) from systemd.
Fri Feb  2 07:31:01 2018 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Fri Feb  2 07:31:01 2018 -> Log file size limited to 20971520 bytes.
Fri Feb  2 07:31:01 2018 -> Reading databases from /opt/zimbra/data/clamav/db
Fri Feb  2 07:31:01 2018 -> Not loading PUA signatures.
Fri Feb  2 07:31:01 2018 -> Bytecode: Security mode set to "TrustSigned".
LibClamAV Warning: Detected duplicate databases /opt/zimbra/data/clamav/db/daily.cvd and /opt/zimbra/data/clamav/db/daily.cld, please manually remove one of them
LibClamAV Warning: Detected duplicate databases /opt/zimbra/data/clamav/db/bytecode.cld and /opt/zimbra/data/clamav/db/bytecode.cvd. The /opt/zimbra/data/clamav/db/bytecode.cld database is older and will not be loaded, you should manually remove it from the database directory.
Fri Feb  2 07:31:05 2018 -> Loaded 4566324 signatures.
Fri Feb  2 07:31:06 2018 -> TCP: Bound to [::1]:3310
Fri Feb  2 07:31:06 2018 -> TCP: Setting connection queue length to 200
Fri Feb  2 07:31:06 2018 -> TCP: Bound to [127.0.0.1]:3310
Fri Feb  2 07:31:06 2018 -> TCP: Setting connection queue length to 200
Fri Feb  2 07:31:06 2018 -> ERROR: TCP: Cannot bind to [127.0.0.1]:3310: Address already in use
ERROR: TCP: Cannot bind to [127.0.0.1]:3310: Address already in use
Fri Feb  2 07:31:06 2018 -> LOCAL: Unix socket file /opt/zimbra/data/clamav/clamav.sock
Fri Feb  2 07:31:06 2018 -> LOCAL: Setting connection queue length to 200
Fri Feb  2 07:31:06 2018 -> Limits: Global size limit set to 256000000 bytes.
Fri Feb  2 07:31:06 2018 -> Limits: File size limit set to 256000000 bytes.
Fri Feb  2 07:31:06 2018 -> Limits: Recursion level limit set to 16.
Fri Feb  2 07:31:06 2018 -> Limits: Files limit set to 10000.
Fri Feb  2 07:31:06 2018 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Fri Feb  2 07:31:06 2018 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Fri Feb  2 07:31:06 2018 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Fri Feb  2 07:31:06 2018 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Fri Feb  2 07:31:06 2018 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Fri Feb  2 07:31:06 2018 -> Limits: MaxPartitions limit set to 50.
Fri Feb  2 07:31:06 2018 -> Limits: MaxIconsPE limit set to 100.
Fri Feb  2 07:31:06 2018 -> Limits: MaxRecHWP3 limit set to 16.
Fri Feb  2 07:31:06 2018 -> Limits: PCREMatchLimit limit set to 10000.
Fri Feb  2 07:31:06 2018 -> Limits: PCRERecMatchLimit limit set to 5000.
Fri Feb  2 07:31:06 2018 -> Limits: PCREMaxFileSize limit set to 26214400.
Fri Feb  2 07:31:06 2018 -> Archive support enabled.
Fri Feb  2 07:31:06 2018 -> Algorithmic detection enabled.
Fri Feb  2 07:31:06 2018 -> Portable Executable support enabled.
Fri Feb  2 07:31:06 2018 -> ELF support enabled.
Fri Feb  2 07:31:06 2018 -> Mail files support enabled.
Fri Feb  2 07:31:06 2018 -> OLE2 support enabled.
Fri Feb  2 07:31:06 2018 -> PDF support enabled.
Fri Feb  2 07:31:06 2018 -> SWF support enabled.
Fri Feb  2 07:31:06 2018 -> HTML support enabled.
Fri Feb  2 07:31:06 2018 -> XMLDOCS support enabled.
Fri Feb  2 07:31:06 2018 -> HWP3 support enabled.
Fri Feb  2 07:31:06 2018 -> Self checking every 600 seconds.
Fri Feb  2 07:36:34 2018 -> Pid file removed.
Fri Feb  2 07:36:34 2018 -> --- Stopped at Fri Feb  2 07:36:34 2018
Fri Feb  2 07:36:34 2018 -> Socket file removed.
After changes your output should look something like this:

Code: Select all

Fri Feb  2 07:58:43 2018 -> +++ Started at Fri Feb  2 07:58:43 2018
Fri Feb  2 07:58:43 2018 -> Received 0 file descriptor(s) from systemd.
Fri Feb  2 07:58:43 2018 -> clamd daemon 0.99.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Fri Feb  2 07:58:43 2018 -> Log file size limited to 20971520 bytes.
Fri Feb  2 07:58:43 2018 -> Reading databases from /opt/zimbra/data/clamav/db
Fri Feb  2 07:58:43 2018 -> Not loading PUA signatures.
Fri Feb  2 07:58:43 2018 -> Bytecode: Security mode set to "TrustSigned".
Fri Feb  2 07:58:50 2018 -> Loaded 6402453 signatures.
Fri Feb  2 07:58:51 2018 -> TCP: Bound to [::1]:3310
Fri Feb  2 07:58:51 2018 -> TCP: Setting connection queue length to 200
Fri Feb  2 07:58:51 2018 -> TCP: Bound to [127.0.0.1]:3310
Fri Feb  2 07:58:51 2018 -> TCP: Setting connection queue length to 200
Fri Feb  2 07:58:51 2018 -> ERROR: TCP: Cannot bind to [127.0.0.1]:3310: Address already in use
ERROR: TCP: Cannot bind to [127.0.0.1]:3310: Address already in use
Fri Feb  2 07:58:51 2018 -> LOCAL: Unix socket file /opt/zimbra/data/clamav/clamav.sock
Fri Feb  2 07:58:51 2018 -> LOCAL: Setting connection queue length to 200
Fri Feb  2 07:58:51 2018 -> Limits: Global size limit set to 256000000 bytes.
Fri Feb  2 07:58:51 2018 -> Limits: File size limit set to 256000000 bytes.
Fri Feb  2 07:58:51 2018 -> Limits: Recursion level limit set to 16.
Fri Feb  2 07:58:51 2018 -> Limits: Files limit set to 10000.
Fri Feb  2 07:58:51 2018 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Fri Feb  2 07:58:51 2018 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Fri Feb  2 07:58:51 2018 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Fri Feb  2 07:58:51 2018 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Fri Feb  2 07:58:51 2018 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Fri Feb  2 07:58:51 2018 -> Limits: MaxPartitions limit set to 50.
Fri Feb  2 07:58:51 2018 -> Limits: MaxIconsPE limit set to 100.
Fri Feb  2 07:58:51 2018 -> Limits: MaxRecHWP3 limit set to 16.
Fri Feb  2 07:58:51 2018 -> Limits: PCREMatchLimit limit set to 10000.
Fri Feb  2 07:58:51 2018 -> Limits: PCRERecMatchLimit limit set to 5000.
Fri Feb  2 07:58:51 2018 -> Limits: PCREMaxFileSize limit set to 26214400.
Fri Feb  2 07:58:51 2018 -> Archive support enabled.
Fri Feb  2 07:58:51 2018 -> Algorithmic detection enabled.
Fri Feb  2 07:58:51 2018 -> Portable Executable support enabled.
Fri Feb  2 07:58:51 2018 -> ELF support enabled.
Fri Feb  2 07:58:51 2018 -> Mail files support enabled.
Fri Feb  2 07:58:51 2018 -> OLE2 support enabled.
Fri Feb  2 07:58:51 2018 -> PDF support enabled.
Fri Feb  2 07:58:51 2018 -> SWF support enabled.
Fri Feb  2 07:58:51 2018 -> HTML support enabled.
Fri Feb  2 07:58:51 2018 -> XMLDOCS support enabled.
Fri Feb  2 07:58:51 2018 -> HWP3 support enabled.
Fri Feb  2 07:58:51 2018 -> Self checking every 600 seconds.
Post Reply