[clamav-users] Database updated over unencrypted connection?

Paul Kosinski clamav-users at iment.com
Sun Mar 17 21:24:41 EDT 2019

Looking at the PiperMail thread about how ClamAV verifies CVD
signatures, I see two things that concern me.

First, it says it uses "an implementation of RSA inspired by
http://www.erikyyy.de/yyyRSA/". How well has this implementation been
vetted? I'm not a crypto expert (by any means), but people like Bruce
Schneier stress that doing crypto right is difficult, and that there
are many possibilities for subtle errors that cause the encryption to
be weak. Witness the non-random seed that turned up in Debian a few
years ago, or the recent Elliptic Curve "scandal".

Second, if the decryption key is baked in to ClamAV, what protocol is
there to update it in case the encryption key is compromised? I presume
it would require a ClamAV software update, but such an update would be
critical, and the current out-of-date notice wouldn't cut it. In fact
the fake CVD might even lie about the need for a software update.

I'm not saying that HTTPS would answer these questions, but perhaps a
more robust security model would be desirable.

 On Fri, 15 Mar 2019 16:47:02 +0100
Arnaud Jacques <webmaster at securiteinfo.com> wrote:

> Hello,
> Le 15/03/2019 à 16:04, instaham--- via clamav-users a écrit :
> > Leonardo Rodrigues wrote:
> >>     the databases are digitally signed, and any modification, such
> >> in a man-in-the-middle attack, would break the signature and
> >> freshclam would refuse to run the files.
> >
> > Sounds good. Can you please explain how this works in detail?
> >
> > Apt places GPG keys in the system and uses them to verify
> > downloaded data.
> >
> > It doesn't seem that ClamAV placed any GPG keys in my system. So
> > how is the verification happening?
> Read on 
> https://lists.clamav.net/pipermail/clamav-users/2018-October/007053.html :
> "
> The .cvd files have an internal cryptographic signature that's
> checked by freshclam and clamd/clamscan.  If freshclam and/or clamd
> accepts the files, you can be assured they are official and
> unmodified.  This is built into clam; no external tools are called.
> "
> Btw, it is working for official signatures. 3rd party signatures
> provide hash based checksum files.

More information about the clamav-users mailing list